US6182226B1 - System and method for controlling interactions between networks - Google Patents

System and method for controlling interactions between networks Download PDF

Info

Publication number
US6182226B1
US6182226B1 US09/040,832 US4083298A US6182226B1 US 6182226 B1 US6182226 B1 US 6182226B1 US 4083298 A US4083298 A US 4083298A US 6182226 B1 US6182226 B1 US 6182226B1
Authority
US
United States
Prior art keywords
regions
region
network
communication
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US09/040,832
Inventor
Irving Reid
Spencer Minear
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
McAfee LLC
Original Assignee
Secure Computing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secure Computing LLC filed Critical Secure Computing LLC
Priority to US09/040,832 priority Critical patent/US6182226B1/en
Assigned to SECURE COMPUTING CORPORATION reassignment SECURE COMPUTING CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: REID, IRVING, MINEAR, SPENCER
Priority to EP99912688A priority patent/EP1062785A2/en
Priority to PCT/US1999/005991 priority patent/WO1999048261A2/en
Application granted granted Critical
Publication of US6182226B1 publication Critical patent/US6182226B1/en
Assigned to CITICORP USA, INC. AS ADMINISTRATIVE AGENT reassignment CITICORP USA, INC. AS ADMINISTRATIVE AGENT SECURITY AGREEMENT Assignors: CIPHERTRUST, INC., SECURE COMPUTING CORPORATION
Assigned to SECURE COMPUTING CORPORATION reassignment SECURE COMPUTING CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CITICORP USA, INC.
Assigned to SECURE COMPUTING, LLC reassignment SECURE COMPUTING, LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SECURE COMPUTING CORPORATION
Assigned to MCAFEE, INC. reassignment MCAFEE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SECURE COMPUTING, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC CHANGE OF NAME AND ENTITY CONVERSION Assignors: MCAFEE, INC.
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Anticipated expiration legal-status Critical
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786 Assignors: JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676 Assignors: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT
Assigned to SECURE COMPUTING CORPORATION reassignment SECURE COMPUTING CORPORATION CORRECTIVE ASSIGNMENT TO CORRECT THE PROPERTY NUMBERS PREVIOUSLY RECORDED AT REEL: 021523 FRAME: 0713. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF PATENT SECURITY AGREEMENT. Assignors: CITICORP USA, INC.
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates generally to network security, and more particularly to a system and method of grouping networks to enforce a security policy.
  • a firewall is a system which enforces a security policy on communication traffic entering and leaving an internal network.
  • Firewalls are generally developed on one or more of three models: the screening router, the bastion host, and the dual homed gateway. These models are described in U.S. Pat. No. 5,623,601 to Vu, issued Apr. 22, 1997 and entitled APPARATUS AND METHOD FOR PROVIDING A SECURE GATEWAY FOR COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS (Vu), which is hereby incorporated herein by reference.
  • Packet filters are generally host-based applications which permit certain communications over predefined ports. Packet filters may have associated rule bases and operate on the principle of that which is not expressly permitted is prohibited. Public networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 64 K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an adequate level of protection.
  • IP Internet Protocol
  • packet filters are executed by the operating system kernel and there is a limited capacity at that level to perform screening functions.
  • protocols may be piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to access the private network.
  • it is an object of this invention is to provide a method for controlling interactions between networks by the use of firewalls with defined regions.
  • the present invention is directed to a system and method of achieving network separation within a computing system having a plurality of network interfaces.
  • One aspect of the invention is a method comprising the steps of defining a plurality of regions; configuring a set of policies for each of the plurality of regions; assigning each of the plurality of network interfaces to only one of the plurality of regions, wherein at least one of the plurality of network interfaces is assigned to a particular region; and restricting communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
  • Another aspect of the invention is a secure server comprising an operating system kernel; a plurality of network interfaces which communicate with the operating system kernel; and a firewall comprising a plurality of regions, wherein a set of policies have been configured for each of the plurality of regions; wherein each of the plurality of network interfaces is assigned to only one of the plurality of regions; wherein at least one of the plurality of network interfaces is assigned to a particular region; and wherein communication to and from each of the plurality of network interfaces is restricted in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
  • FIG. 1 depicts an implementation of the firewall of the present invention.
  • FIG. 1 b depicts another computing system protected by a firewall.
  • FIG. 2 shows the regions and their members as defined in the present invention.
  • FIG. 4 is a flow diagram for a virus alert.
  • FIG. 5 depicts a method by which incoming data packets are processed in accordance with the present invention.
  • FIGS. 1 a and 1 b Two representative firewall-protected computing systems are shown in FIGS. 1 a and 1 b .
  • System 10 in FIG. 1 a includes an internal network 12 connected through firewall 14 to external network 16 .
  • a server 18 and one or more workstations 20 are connected to internal network 12 and communicate through firewall 14 with servers or workstations on external network 16 .
  • System 30 in FIG. 1 b includes an internal network 32 connected through firewall 34 to external network 36 .
  • a server 38 and one or more workstations 40 are connected to internal network 32 .
  • a server 42 is connected through network 44 to firewall 34 .
  • Workstations 40 communicate through firewall 34 with servers or workstations on external network 36 and with server 42 on network 44 .
  • network 44 and server 42 are in a sort of demilitarized zone (DMZ) providing protected access to server 42 to internal users and to external entities.
  • DMZ demilitarized zone
  • firewalls 14 and 34 implement a region-based security system as will be discussed below.
  • firewall 34 The operating system on which the firewall 34 is implemented is the BSDI 3.1 version of UNIX, a security hardened operating system with each application separated out, and protected by type enforcement technology.
  • the functions of firewall 34 are all integrated with the operating system, and each one is completely compartmentalized and secured on its own, and then bound by type enforcement control.
  • Type enforcement which is implemented within the operating system itself, assures a very high level of security by dividing the entire firewall into domains and file types.
  • Domains are restricted environments for applications, such as FTP and Telnet.
  • a domain is set up to handle one kind of application only, and that application runs solely in its own domain.
  • File types are named groups of files and subdirectories. A type can include any number of files, but each file on the system belongs to only one type.
  • Type enforcement is based on the security principle of least privilege: any program executing on the system is given only the resources and privileges it needs to accomplish its tasks.
  • type enforcement enforces the least privilege concept by controlling all the interactions between domains and file types. Domains must have explicit permission to access specific file types, communicate with other domains, or access system functions. Any attempts to the contrary fail as if the files did not exist.
  • the type enforcement policy is mandatory, and nothing short of shutting the system down and recompiling the type enforcement policy database can change it.
  • Type enforcement is described in two pending patent applications entitled SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES, Ser. No. 08/322,078, filed Oct. 12, 1994, and SYSTEM AND METHOD FOR ACHIEVING NETWORK SEPARATION, Ser. No. 08/599,232, filed Feb. 9, 1996, both of which are incorporated herein by reference.
  • a type enforcement scheme provides for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network.
  • a secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer.
  • the secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer, a server function for transferring data between the private network interface and the unsecured network interface and a filter function for filtering data transferred between the remote computer and the workstation.
  • the firewall of the present invention features application-level gateways, which negotiate communications and never make a direct connection between two different networks. Hence, unlike packet filtering, which, as described in the prior art, applies rules on every incoming packet of data, the firewall applies rules applicable to the network or port in which data packets are entering.
  • the gateways have a detailed understanding of the networking services they manage. This architecture isolates activity between network interfaces by shutting off all direct communication between them. Instead, application data is transferred in a sanitized form, between the opposite sides of the gateway.
  • the system has been designed to defend against known network penetration and denial of service attacks, including:
  • SYN Flood attack Ping of death (fat ping attack) IP spoofing Malformed packet attacks (both TCP & UDP) ACK storms Forged source address packets Network probes Packet fragmentation attacks Session hijacking Log overflow attacks SNMP attacks Log manipulation ICMP broadcast flooding Source routed packets Land attack DNS cache corruption ARP attacks Mail spamming Ghost routing attacks DNS denial of service Sequence number prediction FTP bounce or port call attack Buffer overflows ICMP protocol tunnelling Mail exploits VPN key generation attacks Authentication race attacks
  • the firewall also includes intruder response that allows administrators to obtain all the information available about a potential intruder. If an attack is detected or an alarm is triggered, the intruder response mechanism collects information on the attacker, their source, and the route they are using to reach the system.
  • alarms can be configured to automatically print results or to email them to the designated person.
  • Regions are groupings of physical interfaces (network cards) and virtual networks (VPNs) into entities of similar trust.
  • FIG. 2 depicts regions Internet, Secure ‘DMZ’, R&D Network, Sales Offices, Worldwide Customer Service, and Worldwide Sales.
  • FIG. 2 all Sales or Customer Support departments in the company's offices can be grouped together into regions Worldwide Sales and Worldwide Customer Service, respectively.
  • Regions permit the grouping of networks and VPNs that require the same type of security, thereby eliminating the need to enter multiple versions of the same access rule for each network or VPN. Thus regions allow flexibility in tailoring a security policy.
  • the first task is to group together networks or VPNs that require the same type of network access.
  • Each network interface card or VPN that is grouped in a region is considered a member of that region.
  • a region can consist of the following members:
  • user 1 , user 2 , user 3 , mgr 1 , and mgr 2 of Region named R&D Network would have the same rights defined for the R&D Region.
  • Roaming Sales 1 , Roaming Sales 2 , Roaming Sales 3 , etc. would have the same rights accorded to all members of Region named Sales Offices.
  • user 1 , user 2 , Roaming Sales 1 , Roaming Sales 2 , mgr 1 , etc. do not necessarily represent only workstations. In other words, it is possible for user 2 to logon the workstation onto which user 3 might ordinarily logon, or for mgr 1 to logon the workstation onto which mgr 3 might ordinarily logon.
  • Every region is protected from every other region as defined in the firewall of the present invention. All connections to and from each region are first examined by the firewall. Regions may communicate with each other only if an appropriate access rule has been defined. For each access rule, first, the services that the rule will control must be defined, then, second, the regions that the connection is traveling between must also be defined. For example, if the Internal region is to be allowed to access Telnet services on the Internet region, the access rule must specify Telnet as the service that the rule controls and specify the From: region as Internal and the To: region as Internet. Hence, the firewall of the present invention does not allow traffic to pass directly through the firewall in any direction. Region to Region connections are made via an application aware gateway. Application-level gateways understand and interpret network protocol and provide increased access control ability.
  • the ACLs are the heart and soul of the firewall. For each connection attempt, the firewall checks the ACLs for permissions on use and for constraints for the connection. Constraints can include: encryption requirements, authentication requirements, time of day restrictions, concurrent sessions restrictions, connection redirection, address or host name restrictions, user restrictions and so forth.
  • Access rules are the way in which the firewall protects regions from unauthorized access. For each connection attempt, the firewall checks it against the defined access rules. The rule that matches the characteristics of the connection request is used to determine whether the connection should be allowed or denied.
  • access rules are created in a completely new way—using decision trees. Knowing that an access rule is based on a series of decisions made about a connection, the firewall permits the building of an access rule based on “nodes” of decision criteria. A node can be added to check for such criteria as the time of day, whether the connection uses the appropriate authentication or encryption, the user or groups initiating the connection request or the IP address or host of the connection. Each node is compared against an incoming connection request and you determine whether the connection is allowed or denied based on the results of the node comparison.
  • Every access rule must consist of two specific nodes. The first, the Services node, decides which service(s) the rule will control. The second, the From/To node determines the source region and destination region of the connection. Once the services and regions for the rule are established, more nodes can be added to determine specific details about the connection.
  • a connection request can be checked based on the time of day, its users and groups, its IP addresses and hosts or maximum concurrent sessions.
  • the firewall determines whether the connection is true or false. If the connection meets the criteria listed in the node, the connection is considered true and proceeds along a “true” branch. If the connection does not meet the node criteria, the connection is considered false and proceeds along a “false” branch.
  • a connection has certain authentication or encryption, use SmartFilter to block particular WWW connections, or filter the connection to see if it contains Java or ActiveX content. Filters differ from decision nodes in that they do not determine whether a connection is true or false. Instead, filters attempt to apply a condition to the connection. If the filter can be applied to the connection, the filter is performed and the connection proceeds along the same path. If the filter does not apply to the connection, the filter is ignored and the connection still proceeds.
  • a rewrite node is a point in an access rule where source or destination addresses are mapped to other source or destination addresses.
  • Destination IP address rewrites allow an inbound connection through network address translation (NAT) address hiding to be remapped to a destination inside the NAT barrier.
  • Source address rewrites can be used on outbound connections to make the source appear to be one of many external addresses. This process allows the internal hosts to be aliased to external addresses. Rewrites can be based on any connection criteria, including users.
  • an access rule At any point in an access rule, one can add an alert that notifies recipients when a connection has reached a particular point in an access rule. Using these alerts, one can monitor specific users, IP addresses and other criteria contained within a specific access rule.
  • connection request When a connection request reaches a node in a rule, it is checked against the information in the node. If the connection is a filter node, the filter condition is either applied or ignored. Only one branch leads out of a filter node. If the node happens to be a decision node, there are two possible results. If the connection meets the criteria listed, it is considered true and follows the “true” branch of the access rule. Otherwise, the connection is considered “false” and follows the false branch.
  • the GUI presents access rules as a decision tree with special kinds of nodes which make true or false decisions. Each decision leads to a branch which contains more nodes.
  • filters can be acquired. These filters are not processed by the kernel with the exception of redirects (rewrite destination address or port).
  • the time of day is checked ( 50 ). If during business hours, the user is checked ( 52 ). Certain users are allowed, so connection is allowed ( 54 ) as indicated by the check mark. However, some users ( 56 ) require a SmartFilter check ( 58 ), whereas everyone else is denied ( 60 ).
  • the firewall of the present invention introduces a revolutionary means to manage network access control.
  • Traditional firewalls provide lists of access control rules, but as more rules and controls are added, these lists become unmanageable.
  • FIG. 3 the present invention presents a visual means by which access control can be defined and easily understood through flowchart style diagrams.
  • the firewall's access flow diagrams allow any decision criteria to be based on any other decision, in any order. If the administrator wants to check user first, then time, then apply a specific access policy, they can. In addition, the flow diagrams are object oriented for greater power.
  • Access control rules on the firewall can be defined with flexibility previously unknown in the industry. This allows, for example, for different web filtering polices on a per-user basis, the ability to deny a connection if it isn't encrypted, authenticate a connection by strong token and another connection by password. Access rules can incorporate any of the following criteria:
  • Source and destination addresses are Source and destination addresses, networks, hosts, and domains
  • Type of service (WWW, Email, Telnet, FTP, etc.)
  • Source and destination service port and IP address rewrites
  • the firewall's access control diagrams include the capability of IP address rewrites, which allows a connection inbound through NAT address hiding to be remapped to a destination inside the NAT barrier. Also, rewrites can be used on outbound connections to make the source appear to be one of many external addresses. This allows internal hosts to be aliased to external addresses.
  • Rewrites can be based on any connection criteria, including users. So the administrator can have anonymous FTP connections directed to a public access FTP server on the Secure Server Net, but remap users to their internal machines.
  • the firewall's access control diagrams also include the capability of sending alerts, with an administrator-defined message, based on any connection decision. Alerts can be dropped into the access flow diagrams at any point. If a connection reaches that point in the diagram, the alert is triggered. For example, in FIG. 4, a check for viruses is performed on a file ( 70 ). If a virus is found, the administrator is alerted ( 72 ), and the transfer is redirected to a safe location for later inspection ( 74 ).
  • the ACLs consist of all the required kernel code. This is all the code that implements the rules themselves in the kernel including: build, modifying, deleting, and querying the rules. Also included are the system calls that the user level programs need to use the ACLs. The parsing of the return values, especially the filters are not part of the ACLs themselves since the filter rules are defined dynamically by the programs issuing the system calls to build the ACLs. It is the intent that the kernel be flexible enough to handle all the filter requirements without needing modifications for future enhancements.
  • the ACLs themselves must satisfy the requirements laid out by the GUI design. This dictates to a large degree how the rules must be implemented. Since the user has no direct access to the ACLs (rather they use the user interface), there are no ease of use concerns here except to say that the ACLs must be something the developers can work with easily. Hence, there exists a good set of tools to debug the ACLs.
  • VPN Virtual Private Networking
  • Every access control is available to VPN connections in exactly the same way as for physically connected networks: user controls, IP restrictions, protocol filters, address hiding, multi-homing, and more.
  • VPN is a method of authenticating and transparently encrypting bi-directional data transmissions via the Internet. Both gateway to gateway network links as well as roaming users on VPN enabled laptops are utilizing the security and cost effectiveness of VPN Internet encrypted communications.
  • VPN technology is embedded in the core design of the firewall of the present invention.
  • Each socket has two endpoints, so there can be up to four different IP addresses.
  • loc_dst_addr could be anything, if the firewall bound to a wildcard address.
  • client_sock server_sock client (cli_addr) ⁇ > [firewall (invention)] ⁇ > (srv_addr) server (loc_dst_addr) (loc_src_addr)
  • the SIGWINCH signal is used to force all ACLs to be rechecked and for proxies to re-initialize themselves (for proxies that use config files). Most proxies will handle this signal themselves, but if secured did an ACL before starting a proxy, it must also do the recheck.
  • the SIGWINCH signal will come from the backend, which will use killpg() to signal all the inetd daemons, secured processes, and their child proxies or servers. Note that the default action for SIGWINCH is ignore, so inetd did not need to be modified.
  • Some transient proxies use the SIGALRM internally to do idle proxy timeouts (tcpgsp, tnauthp, sqlp).
  • proxies should shutdown cleanly if given a SIGTERM signal.
  • the backend uses SIGTERM to kill inetd processes when the last service has been removed.
  • Squid will re-open (not rotate) its logfiles if given the SIGUSR 1 signal, and re-initialize itself if given SIGWINCH or SIGHUP. Note that this means squid does not do ACL rechecks, it treats itjust like a SIGHUP—closes its listen sockets and waits 30 seconds for active sessions to terminate, then re-opens listen sockets. This easy way out was chosen because squid's connections are relatively short-lived.
  • proxy idle timeout as N seconds (transient only)
  • ch s for syslog
  • ch a for audit
  • ch e for stderr
  • the firewall of the present invention uses new structured audit calls for session logging, which include src and dst region, ACL matched, auth method, encryption state, etc.
  • the new calls are:
  • audit_log_ftp to log FTP file transfers, includes user, filename, size
  • audit_log_smartfilter to log URL, action (allow/deny), blocked categories
  • SecureZone has incorporated the proxy-warder-interface (pwif) from Sidewinder.
  • pwif proxy-warder-interface
  • the pwif interface was already supported by tnauthp, we added pwif support to ftpp, and for GUI login.
  • the backend will have to keep the squid passwd file in sync with the static-passwd file used for ftp and telnet.
  • ACLs also return the following: from_region, to_region, destination redirects for IP and port, source redirects for IP and port, transparency settings and filters.
  • ACL filters as follows (example from acl_util.h):
  • FTP site, del, WWW: java, activex, cookies */ #define FILTER_STR1 “pfs
  • ” /* generic filter: debug 3 */ #define FILTER_STR2 “pgd3
  • ” /* debug 2, FTP: 69K, strong auth, with external auth servers */ #define FILTER_STR3 “pgd2
  • the caching WWW proxy (squid) is very interesting because it has its own ACL checks and non-blocking DNS interface. We leveraged this built-in support in our work, but it was still tricky to integrate the firewall's ACL calls while operating as a non-blocking long-lived proxy.
  • the proxy might not get an authentication filter after the ACLs return NEEDS_USERNAME, the squid proxy-auth code has been changed to not return a failure code if the password was not accepted. Instead we save some internal state, and only check this state if an authentication filter is returned later.
  • the proxy will make two calls to the ACLs. The first will be:
  • service_number this is a number that the backend decides and is unique per service or possibly per service, from and to region triplet as desired.
  • src_ip this is the source IP address of the connection.
  • dst_ip this is the destination IP address of the connection.
  • src_host_name this is the host name based on the reverse lookup of the source address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to scc_is_service_allowed with a return value of ACL_RESOLVE_SRC_ADDR.
  • dst_host_name this is the host name based on the reverse lookup of the destination address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to scc_is_service_allowed with a return value of ACL_RESOLVE_DST_ADDR.
  • user_name this is the user name of the person using the service. This value is only used when ACL_NEED_USER_NAME has been returned by the kernel. Use NULL, if the name has not yet been requested. Currently only FTP, telnet and WWW support user names.
  • name_valid this tells the ACLs whether or not a user name makes any sense for this protocol. If the name_valid flag is set to TRUE, then user decision nodes will be used (and thus a user name will be required if a user decision node is encountered when checking the ACL). If set to false, then the user decision nodes will be ignored and the true path of those nodes encountered when checking the ACL will be used.
  • to_region the region number that the destination address of this connection is in.
  • filter_text_len this is a pointer to an integer which has the length of the filter_text array in it. This value will be set to the amount of data returned by the access call on return. If the return value is ACL_NEED_MORE_FILTER_SPACE, then the value in this variable will contain the amount of space required.
  • filter_text this is an array of characters of size filter_text_len which will be used to store the concatenated filter strings accumulated while checking the ACLs.
  • rule_name_len this is the size of the array rule_name.
  • rule_name this is the name of the rule that allowed or denied the connection. Only a maximum of rule_name_len—1 characters will be stored in there.
  • redirect_dst_addr_port this is the address and port to redirect this connection to.
  • the system will set this to all zeroes if it is not in use.
  • the port and address will always both be set together in this structure if it is to be used. Only the sin_port and sin_addr part of the structure will be used.
  • redirect_src_addr_port this is used to indicate to the firewall that when making the connection from the firewall to the destination, it should use the source address/port provided. Note that unlike the redirect_dst_addr_port field only the parts of the address required will be filled out. In particular, if the port is specified but not the address then the address field will be zero. Similarly, if the address is specified but not the port, then the port will be zero. For the redirect_dst_addr_port, if one or both field are specified then they are both returned (with the unspecified field left the same as the actual destination).
  • master_key this is the key that indicates which items have been licensed on the firewall.
  • connection_id this is the connection id for this connection.
  • connection_id this is the connection id for this connection.
  • the user name will be used by the system to get the groups automatically behind the scenes in the library call. This means that the actual call to the kernel will have more fields. In particular, there will be a list of group names and a counter to indicate how many elements are in the list.
  • the second call will be:
  • proxies have to recheck their connections to see if they can still make the connection. This is done as follows:
  • int scc_recheck_service ( unsigned long service_number, struct sockaddr_in *src_ip, struct sockaddr_in *dst_ip, char *src_host_name, /* usually null */ char *dst_host_name, /* usually null */ char *user_name, /* null if none */ int name_valid, /* tell if name is valid */ caddr_t &connection_id /* id for this connection */ /* return values */ int &to_region; int &from_region; int &filter_text_len char &filter_text, int rule_name_len, char &rule_name, struct sockaddr_in &redirect_src_addr_port, struct sockaddr_in &redirect_dst_addr_port,
  • connection_id is passed in as a parameter not a return value.
  • proxies should recheck services in order of lowest priority to highest priority (typically by checking the oldest sessions first, when that is possible). Note that short-lived proxies and servers started by secured cannot guarantee the order in which ACLs will be rechecked, since they will all get a HUP signal at the same time.
  • rgnbind() allows a service on the firewall to listen for network connections only in the specified region. This allows us to have different programs listening in different regions; for example, a caching WWW proxy for connections from internal to external and a non-caching proxy from SSN to external.
  • network servers were modified to use rgnbind() instead ofbind(), to ensure that they handled traffic for the correct region.
  • rgnctl() adds, deletes, and modifies regions and sets per-region parameters: Members, router, connection refused, and ping response.
  • rrctl() sets region-to-region policy. Currently only handles network address translation, but could add other parameters in future.
  • scc_getregion() retrieve the region number for a given IP address scc_service_checks() scc_backend_acl_calls() scc_service_done() scc_get_service_counts()
  • ICMP Internet Control Message Protocol
  • step 80 when a packet is received as shown in step 80 , the region ID is retrieved from the network interface and assigned to the packet in step 82 . It is determined in step 84 whether the packet is encrypted, i.e., a VPN. If the packet is encrypted, processing proceeds to step 86 where the VPN security association for that packet is retrieved. The packet is then decrypted in step 88 , and the previously stored region ID for that packet is replaced with the region ID of the VPN in step 90 . All further operations take place on the decrypted packet.
  • the packet is encrypted, i.e., a VPN. If the packet is encrypted, processing proceeds to step 86 where the VPN security association for that packet is retrieved. The packet is then decrypted in step 88 , and the previously stored region ID for that packet is replaced with the region ID of the VPN in step 90 . All further operations take place on the decrypted packet.
  • a UNIX system checks whether the packet is destined for one of the firewall's IP addresses. If not, the packet is forwarded to the real destination. This has been modified in SecureOS to check that: (a) the destination is in the same region as the source and (b) the “router” flag is set for that region, as shown in steps 92 and 94 . If either condition is not met, the packet is not forwarded, as shown in step 102 .
  • step 96 the system looks for any socket listening for the incoming packet. Traditionally this match looks at source IP address, source IP port, destination address, and destination port. This has been extended in SecureOS, as shown in step 98 , to also check the region associated with the packet against the region specified in the rgnbind() system call, to ensure that sockets receive data originating only from the correct region. If all conditions are met, the packet is forwarded in step 100 ; otherwise, the packet is not forwarded (step 102 ).
  • Name user specified region name Members physical interfaces and VPN encrypted connections that belong to this region.
  • the following example shows a region of the firewall of the present invention configured to sit between two departments of a company and transparently filter and control network access between the departments.
  • the two regions can see each others' addresses; that is, no address translation is done. Nevertheless, network connections are only allowed if an access rule on the firewall grants permission.

Abstract

A firewall is used to achieve network separation within a computing system having a plurality of network interfaces. A plurality of regions is defined within the firewall and a set of policies is configured for each of the plurality of regions. The firewall restricts communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.

Description

FIELD OF THE INVENTION
The present invention relates generally to network security, and more particularly to a system and method of grouping networks to enforce a security policy.
BACKGROUND OF THE INVENTION
Recent developments in technology have made access easier to publicly available computer networks, such as the Internet. Organizations are increasingly turning to external networks such as the Internet to foster communication between employees, suppliers and clients. With this increased access comes an increased vulnerability to malicious activities on the part of both people inside and outside the organization. Firewalls have become a key tool in controlling the flow of data between internal networks and these external networks.
A firewall is a system which enforces a security policy on communication traffic entering and leaving an internal network. Firewalls are generally developed on one or more of three models: the screening router, the bastion host, and the dual homed gateway. These models are described in U.S. Pat. No. 5,623,601 to Vu, issued Apr. 22, 1997 and entitled APPARATUS AND METHOD FOR PROVIDING A SECURE GATEWAY FOR COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS (Vu), which is hereby incorporated herein by reference.
Vu describes packet filters as a more sophisticated type of screening that operates on the protocol level. Packet filters are generally host-based applications which permit certain communications over predefined ports. Packet filters may have associated rule bases and operate on the principle of that which is not expressly permitted is prohibited. Public networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 64 K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an adequate level of protection. The principal drawback of packet filters, according to Vu, is that they are executed by the operating system kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to access the private network.
Accordingly, it is an object of this invention is to provide a method for controlling interactions between networks by the use of firewalls with defined regions.
SUMMARY OF THE INVENTION
The present invention is directed to a system and method of achieving network separation within a computing system having a plurality of network interfaces. One aspect of the invention is a method comprising the steps of defining a plurality of regions; configuring a set of policies for each of the plurality of regions; assigning each of the plurality of network interfaces to only one of the plurality of regions, wherein at least one of the plurality of network interfaces is assigned to a particular region; and restricting communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
Another aspect of the invention is a secure server comprising an operating system kernel; a plurality of network interfaces which communicate with the operating system kernel; and a firewall comprising a plurality of regions, wherein a set of policies have been configured for each of the plurality of regions; wherein each of the plurality of network interfaces is assigned to only one of the plurality of regions; wherein at least one of the plurality of network interfaces is assigned to a particular region; and wherein communication to and from each of the plurality of network interfaces is restricted in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
A feature of the present invention is the application level approach to security enforcement, wherein type enforcement is integral to the operating system. Still another feature is protection against attacks including intruders into the computer system. Yet another feature is a new graphical user interface (GUI) in effective Access Control Language (ACL). A further feature of the present invention is a visual access control system. Another feature is embedded support for Virtual Private Networking (VPN).
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 depicts an implementation of the firewall of the present invention.
FIG. 1a shows a representative computing system protected by a firewall.
FIG. 1b depicts another computing system protected by a firewall.
FIG. 2 shows the regions and their members as defined in the present invention.
FIG. 3 is a graphical representation of ACL commands.
FIG. 4 is a flow diagram for a virus alert.
FIG. 5 depicts a method by which incoming data packets are processed in accordance with the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
In the following detailed description of the preferred embodiments, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific embodiments in which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the present invention.
FIG. 1 depicts a block diagram showing the relationship between a firewall 34 in accordance with this invention, the Internet 36, a Secure Server Network (SSN) 38, a Company Private Net 40, and a Partner Shared Net 42. As shown in FIG. 1, communications to and from any other servers or networks goes through the firewall 34.
Two representative firewall-protected computing systems are shown in FIGS. 1a and 1 b. System 10 in FIG. 1a includes an internal network 12 connected through firewall 14 to external network 16. A server 18 and one or more workstations 20 are connected to internal network 12 and communicate through firewall 14 with servers or workstations on external network 16.
System 30 in FIG. 1b includes an internal network 32 connected through firewall 34 to external network 36. A server 38 and one or more workstations 40 are connected to internal network 32. In addition, a server 42 is connected through network 44 to firewall 34. Workstations 40 communicate through firewall 34 with servers or workstations on external network 36 and with server 42 on network 44. In one embodiment network 44 and server 42 are in a sort of demilitarized zone (DMZ) providing protected access to server 42 to internal users and to external entities.
In one embodiment, firewalls 14 and 34 implement a region-based security system as will be discussed below.
The operating system on which the firewall 34 is implemented is the BSDI 3.1 version of UNIX, a security hardened operating system with each application separated out, and protected by type enforcement technology. The functions of firewall 34 are all integrated with the operating system, and each one is completely compartmentalized and secured on its own, and then bound by type enforcement control.
Type enforcement, which is implemented within the operating system itself, assures a very high level of security by dividing the entire firewall into domains and file types. Domains are restricted environments for applications, such as FTP and Telnet. A domain is set up to handle one kind of application only, and that application runs solely in its own domain. File types are named groups of files and subdirectories. A type can include any number of files, but each file on the system belongs to only one type.
There is no concept of a root super-user with overall control. Type enforcement is based on the security principle of least privilege: any program executing on the system is given only the resources and privileges it needs to accomplish its tasks. On the firewall of this invention, type enforcement enforces the least privilege concept by controlling all the interactions between domains and file types. Domains must have explicit permission to access specific file types, communicate with other domains, or access system functions. Any attempts to the contrary fail as if the files did not exist. The type enforcement policy is mandatory, and nothing short of shutting the system down and recompiling the type enforcement policy database can change it.
Type enforcement is described in two pending patent applications entitled SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES, Ser. No. 08/322,078, filed Oct. 12, 1994, and SYSTEM AND METHOD FOR ACHIEVING NETWORK SEPARATION, Ser. No. 08/599,232, filed Feb. 9, 1996, both of which are incorporated herein by reference. Essentially, a type enforcement scheme provides for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network. A secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer. The secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer, a server function for transferring data between the private network interface and the unsecured network interface and a filter function for filtering data transferred between the remote computer and the workstation.
Application-Level Gateway Architecture
The firewall of the present invention features application-level gateways, which negotiate communications and never make a direct connection between two different networks. Hence, unlike packet filtering, which, as described in the prior art, applies rules on every incoming packet of data, the firewall applies rules applicable to the network or port in which data packets are entering. The gateways have a detailed understanding of the networking services they manage. This architecture isolates activity between network interfaces by shutting off all direct communication between them. Instead, application data is transferred in a sanitized form, between the opposite sides of the gateway.
Attack Protection
In addition to the firewall's secured type enforced operating system and application gateway architecture, the system has been designed to defend against known network penetration and denial of service attacks, including:
SYN Flood attack Ping of death (fat ping attack)
IP spoofing Malformed packet attacks (both TCP &
UDP)
ACK storms Forged source address packets
Network probes Packet fragmentation attacks
Session hijacking Log overflow attacks
SNMP attacks Log manipulation
ICMP broadcast flooding Source routed packets
Land attack DNS cache corruption
ARP attacks Mail spamming
Ghost routing attacks DNS denial of service
Sequence number prediction FTP bounce or port call attack
Buffer overflows ICMP protocol tunnelling
Mail exploits VPN key generation attacks
Authentication race attacks
Intruder Response
Finding out who and where attacks are originating from is a key requirement to taking corrective action. The firewall also includes intruder response that allows administrators to obtain all the information available about a potential intruder. If an attack is detected or an alarm is triggered, the intruder response mechanism collects information on the attacker, their source, and the route they are using to reach the system.
In addition to real-time response via pager or SNMP, alarms can be configured to automatically print results or to email them to the designated person.
Regions
The growing need for applying specific security policies and access requirements to complex organizations requires a new way of managing firewalls—regions. Regions are groupings of physical interfaces (network cards) and virtual networks (VPNs) into entities of similar trust.
Suppose a company has thousands of roaming users connecting to the company network from encrypted virtual private network (“VPN”) clients—managing such users one at a time would be an enormous task. It would be easier to organize those roaming users into groups having, as an example, full access, medium access, and limited access rights. FIG. 2 depicts regions Internet, Secure ‘DMZ’, R&D Network, Sales Offices, Worldwide Customer Service, and Worldwide Sales. In FIG. 2, all Sales or Customer Support departments in the company's offices can be grouped together into regions Worldwide Sales and Worldwide Customer Service, respectively.
Regions permit the grouping of networks and VPNs that require the same type of security, thereby eliminating the need to enter multiple versions of the same access rule for each network or VPN. Thus regions allow flexibility in tailoring a security policy. In defining regions, the first task is to group together networks or VPNs that require the same type of network access. Each network interface card or VPN that is grouped in a region is considered a member of that region. A region can consist of the following members:
an interface card,
a VPN,
a group of VPNs,
an interface card and a VPN, or
an interface card and a group of VPNs.
Hence in FIG. 2, user1, user2, user3, mgr1, and mgr2 of Region named R&D Network would have the same rights defined for the R&D Region. In the same way, Roaming Sales 1, Roaming Sales 2, Roaming Sales 3, etc. would have the same rights accorded to all members of Region named Sales Offices. In FIG. 2, user1, user2, Roaming Sales 1, Roaming Sales 2, mgr1, etc., do not necessarily represent only workstations. In other words, it is possible for user2 to logon the workstation onto which user3 might ordinarily logon, or for mgr1 to logon the workstation onto which mgr3 might ordinarily logon.
Access Rules/Access Control Language
A discussion of the use of access control language to define a security policy is explained in greater detail by Reid et al. in SYSTEM AND METHOD FOR IMPLEMENTING A SECURITY POLICY, U.S. patent application Ser. No. 09/040,827, filed herewith, which discussion is hereby incorporated by reference.
Every region is protected from every other region as defined in the firewall of the present invention. All connections to and from each region are first examined by the firewall. Regions may communicate with each other only if an appropriate access rule has been defined. For each access rule, first, the services that the rule will control must be defined, then, second, the regions that the connection is traveling between must also be defined. For example, if the Internal region is to be allowed to access Telnet services on the Internet region, the access rule must specify Telnet as the service that the rule controls and specify the From: region as Internal and the To: region as Internet. Hence, the firewall of the present invention does not allow traffic to pass directly through the firewall in any direction. Region to Region connections are made via an application aware gateway. Application-level gateways understand and interpret network protocol and provide increased access control ability.
The ACLs are the heart and soul of the firewall. For each connection attempt, the firewall checks the ACLs for permissions on use and for constraints for the connection. Constraints can include: encryption requirements, authentication requirements, time of day restrictions, concurrent sessions restrictions, connection redirection, address or host name restrictions, user restrictions and so forth.
Access rules are the way in which the firewall protects regions from unauthorized access. For each connection attempt, the firewall checks it against the defined access rules. The rule that matches the characteristics of the connection request is used to determine whether the connection should be allowed or denied.
With the firewall of the present invention, access rules are created in a completely new way—using decision trees. Knowing that an access rule is based on a series of decisions made about a connection, the firewall permits the building of an access rule based on “nodes” of decision criteria. A node can be added to check for such criteria as the time of day, whether the connection uses the appropriate authentication or encryption, the user or groups initiating the connection request or the IP address or host of the connection. Each node is compared against an incoming connection request and you determine whether the connection is allowed or denied based on the results of the node comparison.
Every access rule must consist of two specific nodes. The first, the Services node, decides which service(s) the rule will control. The second, the From/To node determines the source region and destination region of the connection. Once the services and regions for the rule are established, more nodes can be added to determine specific details about the connection.
In addition to the Allow or Deny terminal nodes, there are four other types of nodes you can add to an access rule: decision nodes, filter nodes, redirects or address rewrites, and alerts.
Decision Nodes
At any point in an access rule, a connection request can be checked based on the time of day, its users and groups, its IP addresses and hosts or maximum concurrent sessions. At these decision nodes, the firewall determines whether the connection is true or false. If the connection meets the criteria listed in the node, the connection is considered true and proceeds along a “true” branch. If the connection does not meet the node criteria, the connection is considered false and proceeds along a “false” branch.
Filter Nodes
At any point in an access rule one can check whether a connection has certain authentication or encryption, use SmartFilter to block particular WWW connections, or filter the connection to see if it contains Java or ActiveX content. Filters differ from decision nodes in that they do not determine whether a connection is true or false. Instead, filters attempt to apply a condition to the connection. If the filter can be applied to the connection, the filter is performed and the connection proceeds along the same path. If the filter does not apply to the connection, the filter is ignored and the connection still proceeds.
Redirects or Address Rewrites
A rewrite node is a point in an access rule where source or destination addresses are mapped to other source or destination addresses. Destination IP address rewrites allow an inbound connection through network address translation (NAT) address hiding to be remapped to a destination inside the NAT barrier. Source address rewrites can be used on outbound connections to make the source appear to be one of many external addresses. This process allows the internal hosts to be aliased to external addresses. Rewrites can be based on any connection criteria, including users.
Alerts
At any point in an access rule, one can add an alert that notifies recipients when a connection has reached a particular point in an access rule. Using these alerts, one can monitor specific users, IP addresses and other criteria contained within a specific access rule.
True and False Branches
When a connection request reaches a node in a rule, it is checked against the information in the node. If the connection is a filter node, the filter condition is either applied or ignored. Only one branch leads out of a filter node. If the node happens to be a decision node, there are two possible results. If the connection meets the criteria listed, it is considered true and follows the “true” branch of the access rule. Otherwise, the connection is considered “false” and follows the false branch.
Referring to FIG. 3, the design for this feature falls almost directly out of the GUI representation. The GUI presents access rules as a decision tree with special kinds of nodes which make true or false decisions. Each decision leads to a branch which contains more nodes. Along the way, filters can be acquired. These filters are not processed by the kernel with the exception of redirects (rewrite destination address or port). In FIG. 3, the time of day is checked (50). If during business hours, the user is checked (52). Certain users are allowed, so connection is allowed (54) as indicated by the check mark. However, some users (56) require a SmartFilter check (58), whereas everyone else is denied (60).
The firewall of the present invention introduces a revolutionary means to manage network access control. Traditional firewalls provide lists of access control rules, but as more rules and controls are added, these lists become unmanageable. As shown in FIG. 3, the present invention presents a visual means by which access control can be defined and easily understood through flowchart style diagrams.
The firewall's access flow diagrams allow any decision criteria to be based on any other decision, in any order. If the administrator wants to check user first, then time, then apply a specific access policy, they can. In addition, the flow diagrams are object oriented for greater power.
Access control rules on the firewall can be defined with flexibility previously unknown in the industry. This allows, for example, for different web filtering polices on a per-user basis, the ability to deny a connection if it isn't encrypted, authenticate a connection by strong token and another connection by password. Access rules can incorporate any of the following criteria:
Source and destination Region
Users and groups
Source and destination addresses, networks, hosts, and domains
Type of service (WWW, Email, Telnet, FTP, etc.)
Time of day, Day of week
Load balancing
Maximum number of concurrent sessions
Required level of encryption
Required level of authentication (strong token, password, etc.)
Protocol filters (WWW, FTP—see later in this section)
SmartFilter™ URL blocking policy (see later in this section)
Multiple external IP address connected to
Source and destination service port and IP address rewrites
Address and Port Rewrites
The firewall's access control diagrams include the capability of IP address rewrites, which allows a connection inbound through NAT address hiding to be remapped to a destination inside the NAT barrier. Also, rewrites can be used on outbound connections to make the source appear to be one of many external addresses. This allows internal hosts to be aliased to external addresses.
Rewrites can be based on any connection criteria, including users. So the administrator can have anonymous FTP connections directed to a public access FTP server on the Secure Server Net, but remap users to their internal machines.
User Defined Alerts
The firewall's access control diagrams also include the capability of sending alerts, with an administrator-defined message, based on any connection decision. Alerts can be dropped into the access flow diagrams at any point. If a connection reaches that point in the diagram, the alert is triggered. For example, in FIG. 4, a check for viruses is performed on a file (70). If a virus is found, the administrator is alerted (72), and the transfer is redirected to a safe location for later inspection (74).
The ACLs consist of all the required kernel code. This is all the code that implements the rules themselves in the kernel including: build, modifying, deleting, and querying the rules. Also included are the system calls that the user level programs need to use the ACLs. The parsing of the return values, especially the filters are not part of the ACLs themselves since the filter rules are defined dynamically by the programs issuing the system calls to build the ACLs. It is the intent that the kernel be flexible enough to handle all the filter requirements without needing modifications for future enhancements.
The ACLs themselves must satisfy the requirements laid out by the GUI design. This dictates to a large degree how the rules must be implemented. Since the user has no direct access to the ACLs (rather they use the user interface), there are no ease of use concerns here except to say that the ACLs must be something the developers can work with easily. Hence, there exists a good set of tools to debug the ACLs.
Virtual Private Networking
Virtual Private Networking (VPN) has been embedded into the architecture of the firewall of the present invention, making it an operating characteristic of the operating system, as opposed to other firewalls which added VPN later. Every access control is available to VPN connections in exactly the same way as for physically connected networks: user controls, IP restrictions, protocol filters, address hiding, multi-homing, and more. VPN is a method of authenticating and transparently encrypting bi-directional data transmissions via the Internet. Both gateway to gateway network links as well as roaming users on VPN enabled laptops are utilizing the security and cost effectiveness of VPN Internet encrypted communications. VPN technology is embedded in the core design of the firewall of the present invention.
Proxies
There are usually 2 sockets per session, client_sock and server_sock. Each socket has two endpoints, so there can be up to four different IP addresses. Note that loc_dst_addr could be anything, if the firewall bound to a wildcard address. Here are diagrams for BFS Inbound, BFS Outbound, and the firewall of the present invention.
client_sock server_sock
client (cli_addr) −−−−> [firewall (invention)] −−−−> (srv_addr) server
(loc_dst_addr) (loc_src_addr)
Proxy Signals
The SIGWINCH signal is used to force all ACLs to be rechecked and for proxies to re-initialize themselves (for proxies that use config files). Most proxies will handle this signal themselves, but if secured did an ACL before starting a proxy, it must also do the recheck. The SIGWINCH signal will come from the backend, which will use killpg() to signal all the inetd daemons, secured processes, and their child proxies or servers. Note that the default action for SIGWINCH is ignore, so inetd did not need to be modified.
Some transient proxies use the SIGALRM internally to do idle proxy timeouts (tcpgsp, tnauthp, sqlp).
All proxies should shutdown cleanly if given a SIGTERM signal. The backend (daemond actually) uses SIGTERM to kill inetd processes when the last service has been removed. We have modified inetd to catch SIGTERM and then use killpg(SIGTERM, pgid) to kill all its children (proxies and secureds). When it starts up, inetd creates a new process group and becomes the leader, which allows it to kill all children easily.
Squid will re-open (not rotate) its logfiles if given the SIGUSR1 signal, and re-initialize itself if given SIGWINCH or SIGHUP. Note that this means squid does not do ACL rechecks, it treats itjust like a SIGHUP—closes its listen sockets and waits 30 seconds for active sessions to terminate, then re-opens listen sockets. This easy way out was chosen because squid's connections are relatively short-lived.
Standard Proxy Options
The following options are passed to secured by the backend writing them on the inetd.conf line:
-D te_dom Set the TE domain of our child process to te_dom
-N service_number the service number is required for ACL calls.
secured will pass this number on to all proxies
-t Specifies that secured is running a transient service (with the wait flag in inetd.conf). ACL checks are not done by secured for transient services, because the service itself must do ACL checks.
-u Specifies that this service supports the notion of a user name, so secured should let service perform its own ACL checks. Currently only FTP, telnet and WWW support user names. Note: only needed for ftpp, because tnauthp and squid already do their own ACLs.
The following options are passed to a proxy by the backend writing them on the inetd.conf line:
-a audit_name use ‘name’ in call to openlog() and for auditing
-i N specify session idle timeout as N seconds
-I N specify proxy idle timeout as N seconds (transient only)
-P ch specify descriptor port, ch=S for secure, ch=L for lpr, ch=G for generic, otherwise, ch=N specify fixed port, or ch=low-high to specify a port range
The following ACL return values are passed to short-lived proxies by secured:
-N service_number the same service number that secured got via backend
-c cli_rgn set cli_region
-s srv_rgn set srv_region
-D IP specify the server IP address
-M IP specify an IP address to spoof as loc_src_addr, for MAT-out
-p N specify the server port number
-P N specify fixed value for descriptor port
-C spoof client-side socket (typically outbound proxies)
-S spoof server-side socket (typically inbound proxies)
By letting the ACLs control so many settings, the inetd.conf lines are much simpler and the degree of control is much greater. For example, here are some BFS inetd.conf entries for inbound proxies:
inbound_udp_relay -e 199.71.190.101 -w 65546 -u g_udp_ir -d 192.168.128.138 -m -g 0
secured -ws 144 -wr 1 -wn 1 -1 199.71.190.121 www_X www_r_i . . . d 192.168.125.2 -m
Here are the corresponding entries for the firewall of the present invention:
secured -N 123 -D RGnx -t - ntpp -a ntpp
secured -N 456 -D RGnx -t - httpp -a httpp
The following options are only used for debugging purposes, some might be disabled on production systems or supported in future releases:
-n non-transparent proxy mode—only works for VDO-Live
-U user_name set the user name (ftp ftp_mux and ftpp/ftpd)
-A ch set the audit method, ch=s for syslog, ch=a for audit, ch=e for stderr
-m disable socket mating
-L disable connection logging
-z set non-paranoid mode, which relaxes IP address checks for UDP proxies
Audit Issues
The firewall of the present invention uses new structured audit calls for session logging, which include src and dst region, ACL matched, auth method, encryption state, etc. The new calls are:
audit_session_begin
audit_session_continue
audit_session_end
audit_log_ftp—to log FTP file transfers, includes user, filename, size
audit_log_smartfilter—to log URL, action (allow/deny), blocked categories
audit_acl_deny—to log ACL denials
audit_ipsec_fail—to log IPSEC failures
audit_auth_fail—to log authentication failures
Authentication Issues
SecureZone has incorporated the proxy-warder-interface (pwif) from Sidewinder. We also support external authentication servers such as snk, safeword, securid. The pwif interface was already supported by tnauthp, we added pwif support to ftpp, and for GUI login. We are not using pwif for squid, instead we are using their build-in passwd file support. The backend will have to keep the squid passwd file in sync with the static-passwd file used for ftp and telnet.
ACL Issues
Besides a simple allow/deny, the ACLs also return the following: from_region, to_region, destination redirects for IP and port, source redirects for IP and port, transparency settings and filters. We have standardized ACL filters as follows (example from acl_util.h):
#define FILT_DELIM    ‘|’
/*
 * all filters will be at least 3-characters in length
 * proxy ACL filters will all start with “p”
 * all filters should be disabled (0) by unless ACLs enable them
 */
/* generic proxy filters - all start with “pg”
 *
 * filt_debug filter “pgdN” sets debug level to N
 *
 * filt_crypto_from filter “pgeR:levels” requires encryption in regions R,
 * filt_crypto_to where R equals F, T, B for from_rgn, to_rgn, both,
 * filt_crypto_levels and levels is colon delimited in “rc4-40:rc4-128:des56:3des”
 * For example, pgeF:rc4-128:3des” would force strong
 * encryption between the client and the firewall
 *
 * filt_loc_auth filter “pgaX” specifies local auth
 * the character X gives the method: S, s, w
 * for STRONG_ONLY, STRONG_PREFER, WEAK_PREFER
 *
 * filt_rem_auth TRUE or FALSE
 * filt_undef_servers filter “pgA:” specifies list of remote auth methods,
 * colon delimited “pgA:radius:safeword:securid:snk”
 */
typedef struct {
/* generic proxy filters - see above for their defined values */
char filt_debug;
char filt_crypto_from;
char filt_crypto_to;
int filt_crypto_levels;
char filt_loc_auth;
char filt_rem_auth;
char **filt_undef_servers;
/* FTP proxy filters - all start with “pf” */
char filt_port; /* filter “pfo” disables PORT command */
char filt_pasv; /* filter “pfa” disables PASV command */
char filt_get; /* fllter “pfg” disables RETR command */
char filt_put; /* filter “pfp” disables STOR command */
char filt_site; /* filter “pfs” disables SITE command */
char filt_mkdir; /* filter “pfm” disables MKD command */
char filt_rmdir; /* filter “pfr” disables RMD command */
char filt_delete; /* filter “pfd” disables DELB command */
char filt_rename; /* filter “pfv” disables RNFR & RNTO commands */
char filt_anon;  /* filter “pff” disables USER ftp and anonymous
*/
u_long filt_size; /* filter “pfsN” sets N KB to max file size */
} ftp_acl_filter_t;
Here are some example filter strings, from acl_load.c:
/* FTP: site, del, WWW: java, activex, cookies */
#define FILTER_STR1 “pfs|pfd|pwj|pwa|pwc|”
/* generic filter: debug=3 */
#define FILTER_STR2 “pgd3|”
/* debug = 2, FTP: 69K, strong auth, with external auth servers */
#define FILTER_STR3 “pgd2|pfS69|pgaS|pgA:safeword:radius|”
SQUID Issues
The caching WWW proxy (squid) is very interesting because it has its own ACL checks and non-blocking DNS interface. We leveraged this built-in support in our work, but it was still tricky to integrate the firewall's ACL calls while operating as a non-blocking long-lived proxy.
Squid supports something called proxy-authentication, but this will only work if someone has configured their web browser to contact a proxy for all URLs. Before doing ACL checks, we use the following code to handle this special case:
if(scc_getregion(&conn−;>me.sin_addr) == 0)
name_valid = 1;  /* non-transparent mode supports proxy-auth */
else
name_valid = 0;  /* transparent mode does not */
This will cause ACL checks for transparent HTTP requests to bypass user nodes, and squid will ignore auth filters. Non-transparent requests (where the connection is TO the firewall) will enforce any user nodes and auth filters in the ACL tree.
Since the proxy might not get an authentication filter after the ACLs return NEEDS_USERNAME, the squid proxy-auth code has been changed to not return a failure code if the password was not accepted. Instead we save some internal state, and only check this state if an authentication filter is returned later.
It is worth noting that in non-transparent mode squid can proxy and authenticate http, gopher, ftp and wais URLs.
In the Proxy
The proxy will make two calls to the ACLs. The first will be:
int scc_is_service_allowed(
unsigned long service_number,
struct sockaddr_in *src_ip,
struct sockaddr_in * dst_ip,
char *src_host_name, /* usually null */
char *dst_host_name, /* usually null */
char *user_name, /* null if none */
int name_valid, /* tell if name is valid */
/* return values */
int &to_region;
int &from_region;
int &filter_text_len,
char &filter_text,
int rule_name_len,
char &rule_name,
struct sockaddr_in &redirect_src_addr_port,
struct sockaddr_in &redirect_dst_addr_port,
int &master_key,
caddr_t &connection_id /* id for this connection */
);
The possible return values will be:
#define ACL_DENY 0
#define ACL_ALLOW_HIDE_SRC 1
#define ACL_ALLOW_HIDE_DST 2
#define ACL_ALLOW_HIDE_BOTH 3
#define ACL_ALLOW_SHOW_ALL 4
#define ACL_RESOLVE_SRC_ADDR 5
#define ACL_RESOLVE_DST_ADDR 6
#define ACL_NEED_MORE_FILTER_SPACE 7
#define ACL_NEED_USER_NAME 8
Thus the ACLs will return, for each connection, how to hide the addresses. The description of each of these values is as follows:
service_number: this is a number that the backend decides and is unique per service or possibly per service, from and to region triplet as desired.
src_ip: this is the source IP address of the connection.
dst_ip: this is the destination IP address of the connection.
src_host_name: this is the host name based on the reverse lookup of the source address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to scc_is_service_allowed with a return value of ACL_RESOLVE_SRC_ADDR.
dst_host_name: this is the host name based on the reverse lookup of the destination address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to scc_is_service_allowed with a return value of ACL_RESOLVE_DST_ADDR.
user_name: this is the user name of the person using the service. This value is only used when ACL_NEED_USER_NAME has been returned by the kernel. Use NULL, if the name has not yet been requested. Currently only FTP, telnet and WWW support user names.
name_valid: this tells the ACLs whether or not a user name makes any sense for this protocol. If the name_valid flag is set to TRUE, then user decision nodes will be used (and thus a user name will be required if a user decision node is encountered when checking the ACL). If set to false, then the user decision nodes will be ignored and the true path of those nodes encountered when checking the ACL will be used.
to_region: the region number that the destination address of this connection is in.
from_region: the region number that the source address of this connection is in.
filter_text_len: this is a pointer to an integer which has the length of the filter_text array in it. This value will be set to the amount of data returned by the access call on return. If the return value is ACL_NEED_MORE_FILTER_SPACE, then the value in this variable will contain the amount of space required.
filter_text: this is an array of characters of size filter_text_len which will be used to store the concatenated filter strings accumulated while checking the ACLs.
rule_name_len: this is the size of the array rule_name.
rule_name: this is the name of the rule that allowed or denied the connection. Only a maximum of rule_name_len—1 characters will be stored in there.
redirect_dst_addr_port: this is the address and port to redirect this connection to. The system will set this to all zeroes if it is not in use. The port and address will always both be set together in this structure if it is to be used. Only the sin_port and sin_addr part of the structure will be used.
redirect_src_addr_port: this is used to indicate to the firewall that when making the connection from the firewall to the destination, it should use the source address/port provided. Note that unlike the redirect_dst_addr_port field only the parts of the address required will be filled out. In particular, if the port is specified but not the address then the address field will be zero. Similarly, if the address is specified but not the port, then the port will be zero. For the redirect_dst_addr_port, if one or both field are specified then they are both returned (with the unspecified field left the same as the actual destination).
master_key: this is the key that indicates which items have been licensed on the firewall.
connection_id: this is the connection id for this connection. When the service is finished you provide this id to the scc_service_done system call and that function decrements the correct counters.
Note that the user name will be used by the system to get the groups automatically behind the scenes in the library call. This means that the actual call to the kernel will have more fields. In particular, there will be a list of group names and a counter to indicate how many elements are in the list.
The second call will be:
int scc_service_done(caddr_t connection_id);
This call always returns zero now. The kernel will use the information in the proc structure for this process to decrement the connection counts for this connection.
There is one other call that a proxy might have to make. When an ACL is updated, proxies have to recheck their connections to see if they can still make the connection. This is done as follows:
int scc_recheck_service(
unsigned long service_number,
struct sockaddr_in *src_ip,
struct sockaddr_in *dst_ip,
char *src_host_name, /* usually null */
char *dst_host_name, /* usually null */
char *user_name, /* null if none */
int name_valid, /* tell if name is valid */
caddr_t &connection_id /* id for this connection */
/* return values */
int &to_region;
int &from_region;
int &filter_text_len
char &filter_text,
int rule_name_len,
char &rule_name,
struct sockaddr_in &redirect_src_addr_port,
struct sockaddr_in &redirect_dst_addr_port,
int &master_key
);
Returns from this will be the same as for the scc_is_service_allowed call except that connection_id is passed in as a parameter not a return value.
If the connection is not allowed, then the counters are automatically freed up and the proxy need not make any further calls for that connection. In the case of counter nodes, the recheck will fail until the counter is at an acceptable level. This means that, if the counter has been decreased below current connection levels, the first connection rechecked will fail and so on until the current number of connections counter has been decremented enough. Thus, proxies should recheck services in order of lowest priority to highest priority (typically by checking the oldest sessions first, when that is possible). Note that short-lived proxies and servers started by secured cannot guarantee the order in which ACLs will be rechecked, since they will all get a HUP signal at the same time.
Implementation of Regions
The following new system calls were added to BSDI 3.1 version of UNIX to support regions:
rgnbind() allows a service on the firewall to listen for network
connections only in the specified region. This allows us to
have different programs listening in different regions; for
example, a caching WWW proxy for connections from
internal to external and a non-caching proxy from SSN to
external. In one embodiment, network servers were modified
to use rgnbind() instead ofbind(), to ensure that they handled
traffic for the correct region.
rgnctl() adds, deletes, and modifies regions and sets per-region
parameters: Members, router, connection refused, and ping
response.
rrctl() sets region-to-region policy. Currently only handles network
address translation, but could add other parameters in future.
scc_getregion() retrieve the region number for a given IP address
scc_service_checks()
scc_backend_acl_calls()
scc_service_done()
scc_get_service_counts()
Other changes include:
initialization of region table at system startup time;
addition of a region number to the packet header data structure to record the region ID for every network packet received;
addition of a field to the network interface data to record which region that interface belongs to; and
addition of a field to the VPN security association data to record which region the VPN is belongs to.
Other further changes:
In the ICMP (Internet Control Message Protocol) processing, if the incoming packet is an ICMP ECHO_REQUEST (commonly known as a “ping”), check the region table and only respond if ping response is enabled for the region from which the packet came;
In the IPSec key and policy processing code, code was added to record the region ID associated with keys and policy table entries, and to manipulate keys and policies on a region-by-region basis;
List of changed files: Region modifications were made to the following files within the BSD/OS kernel:
kern/uipc_mbuf.c netpolicy/pt_debug.c
kern/uipc_syscalls.c netpolicy/ptsock.c
ACL/aclservice.c netpolicy/policy.c
netinet/ip_input.c netsec/ipsec.c
netinet/in_pcb.c netsec/ipsec_ah.c
netinet/in_pcb.h netsec/ipsec_esp.c
netinet/ip_icmp.c sys/aclkern.h
netinet/ip_tunnel.c sys/audit_codes.h
netinet/raw_ip.c sys/mbuf.h
netinet/tcp_input.c sys/region.h
netinet/udp_usrreq.c sys/sysctl.h
netkey/key.c net/if.c
netpolicy/policy.h net/if.h
Region Determination Processing
Referring to FIG. 5, when a packet is received as shown in step 80, the region ID is retrieved from the network interface and assigned to the packet in step 82. It is determined in step 84 whether the packet is encrypted, i.e., a VPN. If the packet is encrypted, processing proceeds to step 86 where the VPN security association for that packet is retrieved. The packet is then decrypted in step 88, and the previously stored region ID for that packet is replaced with the region ID of the VPN in step 90. All further operations take place on the decrypted packet.
Ordinarily, a UNIX system then checks whether the packet is destined for one of the firewall's IP addresses. If not, the packet is forwarded to the real destination. This has been modified in SecureOS to check that: (a) the destination is in the same region as the source and (b) the “router” flag is set for that region, as shown in steps 92 and 94. If either condition is not met, the packet is not forwarded, as shown in step 102.
In step 96, the system looks for any socket listening for the incoming packet. Traditionally this match looks at source IP address, source IP port, destination address, and destination port. This has been extended in SecureOS, as shown in step 98, to also check the region associated with the packet against the region specified in the rgnbind() system call, to ensure that sockets receive data originating only from the correct region. If all conditions are met, the packet is forwarded in step 100; otherwise, the packet is not forwarded (step 102).
Examples of User's View of Regions:
This example mimics the Borderware configuration of internal, external, and Secure Server Net (SSN):
We show We see
Name Members address to address from Rtr Conn Ping
Internal ef0 Ethernet External 1 1 1
VPN- SSN
Waterloo
External ef1 Ethernet Internal 0 0 0
SSN
SSN ef2 Ethernet Internal External 1 1 1
The fields are:
Name user specified region name
Members physical interfaces and VPN encrypted connections that
belong to this region.
We Show Addr the Network Address Translation configuration. This
To example shows that the Internal region is hidden from all
We See Addr others, and that the SSN region is hidden from External
From but visible to Internal
Rtr if 1, the firewall acts as a router between members of this
region. In this example, packets would flow between the
Internal region and the VPN to Waterloo as if they were
simply going through a router.
Conn If 1, the firewall returns “connection refused” messages
if there is no service available on the requested network
port. Setting this to 0 on external regions can help defeat
network scanning attacks.
Ping Respond to network pings (ICMP ECHO-REQUEST
packets). Again, setting to 0 on external regions can help
defeat network scans.
The following example shows a region of the firewall of the present invention configured to sit between two departments of a company and transparently filter and control network access between the departments.
We show We see
Name Members address to address from Rtr Conn Ping
Service ef0 Ethernet Research Research 1 1 1
Research ef1 Ethernet Service Service 1 1 1
The two regions can see each others' addresses; that is, no address translation is done. Nevertheless, network connections are only allowed if an access rule on the firewall grants permission.
Conclusion
It is understood that the above description is intended to be illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

Claims (32)

What is claimed is:
1. A method of achieving network separation within a computing system having network interfaces connected to form a plurality of physical networks, the method comprising the steps of:
defining a plurality of regions;
defining a virtual private network;
establishing a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each physical network to one of the plurality of regions;
assigning the virtual private network to one of the plurality of regions; and
restricting communication between the plurality of regions in accordance with the set of security policies.
2. The method according to claim 1, wherein establishing a set of security policies includes defining an access rule for communication between two regions.
3. The method according to claim 2, wherein the access rule establishes permissions for use of a communication path between the source and destination regions.
4. The method according to claim 2, wherein the access rule establishes one or more constraints on use of a communication path between the source and destination regions.
5. The method according to claim 4, wherein the constraints include an encryption requirement.
6. The method according to claim 4, wherein the constraints include an authentication requirement.
7. The method according to claim 4, wherein the constraints include a constraint from a group of constraints including a time of day restriction, a concurrent sessions restriction, connection redirection, an address restriction, a host name restriction and a user restriction.
8. The method according to claim 1, wherein restricting communication includes routing communication between different regions to an application level proxy, wherein the application level proxy applies the set of security policies.
9. A secure server, comprising:
an operating system kernel;
a plurality of network interfaces, wherein the network interfaces are connected to form a plurality of physical networks and wherein each of the plurality of network interfaces communicates with the operating system kernel;
a virtual private network;
a plurality of regions; and
a security policy, wherein the security policy defines rules for communicating between each of the plurality of regions;
wherein each of the physical networks is assigned to a region;
wherein the virtual private network is assigned to a region; and
wherein communication between the plurality of regions is restricted in accordance with the security policy.
10. The secure server according to claim 9, wherein the security policy uses an access rule to restrict communication between two regions and wherein communication between a source and destination region is only allowed if an access rule has been defined for communication from the source region to the destination region.
11. The secure server according to claim 10, wherein the access rule establishes permissions for use of a communication path between the source and destination regions.
12. The secure server according to claim 10, wherein the access rule establishes one or more constraints on use of a communication path between the source and destination regions.
13. The secure server according to claim 12, wherein the constraints include an encryption requirement.
14. The secure server according to claim 12, wherein the constraints include an authentication requirement.
15. The secure server according to claim 12, wherein the constraints include a constraint from a group of constraints including a time of day restriction, a concurrent sessions restriction, connection redirection, an address restriction, a host name restriction and a user restriction.
16. The secure server according to claim 10, wherein the secure server further comprises an application level proxy and wherein communication between regions is first examined by the application level proxy.
17. The secure server according to claim 10, wherein the secure server further comprises an application level proxy and wherein communication between regions is first examined by the application level proxy.
18. In a computer system having a plurality of network interfaces, including a first and a second network interface, in which the first and second network interfaces are connected to first and second networks, respectively, a method of processing a packet having a source region and a destination region, the method comprising:
defining a plurality of regions, wherein defining includes assigning a first region identifier to the first network and a second region identifier to the second network;
establishing a security policy, wherein the security policy defines rules for communicating between the plurality of regions;
receiving a packet at the first network interface;
assigning the first region identifier to the packet;
reviewing the security policy to determine if transfer of the packet between the source region and the destination region is permitted for packets assigned the first region identifier; and
if so, forwarding the packet to the destination region.
19. The method according to claim 18 wherein reviewing the security policy includes issuing a mgbind() system call to ensure that sockets receive data only from a predefined region.
20. In a computer system having a plurality of network interfaces, including a first and a second network interface, in which the first and second network interfaces are connected to first and second networks, respectively, a method of processing a packet having a source region and a destination region, the method comprising:
providing a virtual private network;
defining a plurality of regions, wherein defining includes assigning a first region identifier to the first network, a second region identifier to the second network and a third region identifier to the virtual private network;
establishing a security policy, wherein the security policy defines rules for communicating between the plurality of regions;
receiving a packet at the first network interface;
assigning the first region identifier to the packet;
determining if the packet is encrypted;
if the packet is encrypted, changing the region identifier assigned to the packet, wherein changing the region identifier includes:
retrieving a virtual private network security association for the packet;
decrypting the packet; and
replacing the first region identifier with the third region identifier;
reviewing the security policy to determine if transfer of the packet between the source region and the destination region is permitted when the packet is received from the virtual private network; and
if so, forwarding the packet to the destination.
21. The method according to claim 20 wherein reviewing the security policy includes issuing a mgbind() system call to ensure that sockets receive data only from a predefined region.
22. A method of achieving network separation within a computing system having a plurality of networks, including a virtual private network, the method comprising the steps of:
defining a plurality of regions;
configuring a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each of the plurality of networks to one of the plurality of regions, wherein assigning includes assigning a region identifier to the virtual private network; and
restricting communication between regions in accordance with the set of security policies.
23. The method according to claim 22, wherein establishing a set of security policies includes defining an access rule for communication between two regions.
24. The method according to claim 23, wherein the access rule establishes permissions for use of a communication path between the two regions.
25. The method according to claim 23, wherein the access rule establishes one or more constraints on use of a communication path between the two regions.
26. The method according to claim 23, wherein the constraints include a constraint from a group of constraints including an encryption requirement, an authentication requirement, a time of day restriction, a concurrent sessions restriction, connection redirection, an address restriction, a host name restriction and a user restriction.
27. The method according to claim 22, wherein restricting communication includes routing communication between different regions to an application level proxy, wherein the application level proxy applies the set of security policies.
28. In a computer network system having a plurality of regions and a plurality of services, including a first service, wherein each service defines a protocol for transferring data between two of the plurality of regions, and wherein each region includes one or more networks, a method of limiting transfers between regions, comprising:
defining a to-from set, wherein the to-from set lists a source region and a destination region;
associating the to-from set with the first service;
defining a path, wherein the path includes desired options for limiting transfer from the source region to the destination region via the first service;
storing information regarding the to-from set, the first service and the path as an access control rule;
receiving a request to set up said first service between the source region and the destination region;
comparing the request to the access control rule to determine access; and
if access is allowed, establishing the service between the source and destination regions.
29. A method of achieving network separation within a computing system having network interfaces connected to form a plurality of physical networks, the method comprising the steps of:
defining a plurality of regions;
establishing a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each physical network to one of the plurality of regions, wherein at least one of the regions is assigned two or more networks; and
restricting communication between the plurality of regions in accordance with the set of security policies.
30. The method according to claim 29, wherein establishing a set of security policies includes defining an access rule for communication between two regions.
31. A secure server, comprising:
an operating system kernel;
a plurality of network interfaces, wherein the network interfaces are connected to form a plurality of physical networks and wherein each of the plurality of network interfaces communicates with the operating system kernel;
three or more regions; and
a security policy, wherein the security policy defines rules for communicating between each of the plurality of regions;
wherein each of the physical networks is assigned to a region;
wherein at least one of the regions has two or more networks assigned to that region; and
wherein communication between the plurality of regions is restricted in accordance with the security policy.
32. The secure server according to claim 31, wherein the security policy uses an access rule to restrict communication between two regions and wherein communication between a source and destination region is only allowed if an access rule has been defined for communication from the source region to the destination region.
US09/040,832 1998-03-18 1998-03-18 System and method for controlling interactions between networks Expired - Lifetime US6182226B1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US09/040,832 US6182226B1 (en) 1998-03-18 1998-03-18 System and method for controlling interactions between networks
EP99912688A EP1062785A2 (en) 1998-03-18 1999-03-18 System and method for controlling interactions between networks
PCT/US1999/005991 WO1999048261A2 (en) 1998-03-18 1999-03-18 System and method for controlling interactions between networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/040,832 US6182226B1 (en) 1998-03-18 1998-03-18 System and method for controlling interactions between networks

Publications (1)

Publication Number Publication Date
US6182226B1 true US6182226B1 (en) 2001-01-30

Family

ID=21913217

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/040,832 Expired - Lifetime US6182226B1 (en) 1998-03-18 1998-03-18 System and method for controlling interactions between networks

Country Status (1)

Country Link
US (1) US6182226B1 (en)

Cited By (288)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001046807A1 (en) * 1999-12-22 2001-06-28 Mci Worldcom, Inc. An overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
WO2001057669A1 (en) * 2000-02-04 2001-08-09 Bionetrix Systems Corporation System, method and computer program product for enrolling and authenticating communication protocol-enabled clients for access to information
US20010037384A1 (en) * 2000-05-15 2001-11-01 Brian Jemes System and method for implementing a virtual backbone on a common network infrastructure
US20010037292A1 (en) * 1999-05-28 2001-11-01 David Vogt Provision of transparent proxy services to a user of a client device
US20010042213A1 (en) * 2000-05-15 2001-11-15 Brian Jemes System and method for implementing network security policies on a common network infrastructure
WO2001090838A2 (en) * 2000-05-24 2001-11-29 Voltaire Advanced Data Security Ltd. Filtered application-to-application communication
WO2002023366A1 (en) * 2000-09-12 2002-03-21 Global Integrity Information sharing and analysis system and method
US20020066030A1 (en) * 2000-05-15 2002-05-30 Brawn John Melvin Secure network and method of establishing communication amongst network devices that have restricted network connectivity
US6401204B1 (en) * 1996-06-05 2002-06-04 Siemens Aktiengesellschaft Process for cryptographic code management between a first computer unit and a second computer unit
US20020078199A1 (en) * 2000-12-18 2002-06-20 Tahan Thomas E. Community separation control in a closed multi-community node
US20020078377A1 (en) * 2000-12-15 2002-06-20 Ching-Jye Chang Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications
US20020078231A1 (en) * 2000-12-15 2002-06-20 Ibm Corporation Simplified network packet analyzer for distributed packet snooper
US20020078370A1 (en) * 2000-12-18 2002-06-20 Tahan Thomas E. Controlled information flow between communities via a firewall
US20020087882A1 (en) * 2000-03-16 2002-07-04 Bruce Schneier Mehtod and system for dynamic network intrusion monitoring detection and response
US20020091795A1 (en) * 2001-01-05 2002-07-11 Michael Yip Method and system of aggregate multiple VLANs in a metropolitan area network
US20020108059A1 (en) * 2000-03-03 2002-08-08 Canion Rodney S. Network security accelerator
US20020112064A1 (en) * 2001-02-15 2002-08-15 Roger Eastvold Customer support network
US6438612B1 (en) * 1998-09-11 2002-08-20 Ssh Communications Security, Ltd. Method and arrangement for secure tunneling of data between virtual routers
US20020124069A1 (en) * 2000-12-28 2002-09-05 Hatalkar Atul N. Broadcast communication system with dynamic client-group memberships
US20020129142A1 (en) * 1999-12-21 2002-09-12 Valerie Favier Method and device for configuring a firewall in a computer system
WO2002071224A1 (en) * 2001-03-01 2002-09-12 Storeage Networking Technologies Storage area network (san) security
US6453419B1 (en) * 1998-03-18 2002-09-17 Secure Computing Corporation System and method for implementing a security policy
US20020133596A1 (en) * 2000-02-10 2002-09-19 John Border Selective spoofer and method of performing selective spoofing
US20020133586A1 (en) * 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network
US20020133717A1 (en) * 2001-03-13 2002-09-19 Ciongoli Bernard M. Physical switched network security
US20020131366A1 (en) * 2000-05-17 2002-09-19 Sharp Clifford F. System and method for traffic management control in a data transmission network
WO2002076029A1 (en) * 2001-03-20 2002-09-26 Worldcom, Inc. System, method and apparatus that isolate virtual private network (vpn) and best effort traffic to resist denial of service attacks
WO2002076050A1 (en) * 2001-03-20 2002-09-26 Worldcom, Inc. Virtual private network (vpn)-aware customer premises equipment (cpe) edge router
US20020138556A1 (en) * 2000-09-28 2002-09-26 Neil Smithline System for managing logical process flow in an online environment
US20020144156A1 (en) * 2001-01-31 2002-10-03 Copeland John A. Network port profiling
US20020152326A1 (en) * 2001-04-03 2002-10-17 David Orshan System, method and computer program product for facilitating local internet service providers to deliver guaranteed bandwidth internet service
US20020154622A1 (en) * 2001-04-18 2002-10-24 Skypilot Network, Inc. Network channel access protocol - slot scheduling
US20020169982A1 (en) * 2001-05-08 2002-11-14 International Business Machines Corporation Method of operating an intrusion detection system according to a set of business rules
WO2002091674A1 (en) * 2001-05-04 2002-11-14 Jai-Hyoung Rhee Network traffic flow control system
US20020188869A1 (en) * 2001-06-11 2002-12-12 Paul Patrick System and method for server security and entitlement processing
US20030005122A1 (en) * 2001-06-27 2003-01-02 International Business Machines Corporation In-kernel content-aware service differentiation
KR20030003593A (en) * 2001-07-03 2003-01-10 (주) 해커스랩 Network Security System and Method for applying Security Rule for Restricted Condition
WO2003005245A2 (en) * 2001-07-06 2003-01-16 Computer Associates Think, Inc. Systems and methods of information backup
US6513122B1 (en) 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
US20030041050A1 (en) * 2001-04-16 2003-02-27 Greg Smith System and method for web-based marketing and campaign management
US20030046583A1 (en) * 2001-08-30 2003-03-06 Honeywell International Inc. Automated configuration of security software suites
US20030043853A1 (en) * 2001-08-15 2003-03-06 Ronald P. Doyle Methods, systems and computer program products for detecting a spoofed source address in IP datagrams
US20030051155A1 (en) * 2001-08-31 2003-03-13 International Business Machines Corporation State machine for accessing a stealth firewall
US20030065950A1 (en) * 2001-09-28 2003-04-03 Yarborough William Jordan Secured FTP architecture
US20030065944A1 (en) * 2001-09-28 2003-04-03 Mao Yu Ming Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
US20030065812A1 (en) * 2001-09-28 2003-04-03 Niels Beier Tagging packets with a lookup key to facilitate usage of a unified packet forwarding cache
US6546546B1 (en) * 1999-05-19 2003-04-08 International Business Machines Corporation Integrating operating systems and run-time systems
US20030070096A1 (en) * 2001-08-14 2003-04-10 Riverhead Networks Inc. Protecting against spoofed DNS messages
WO2003044676A1 (en) * 2001-11-20 2003-05-30 Senvid, Inc. Access and control system for network-enabled devices
US20030105974A1 (en) * 2001-10-24 2003-06-05 Philip B. Griffin System and method for rule-based entitlements
WO2003049400A1 (en) * 2001-12-07 2003-06-12 Ssh Communications Security Corporation Application gateway system, and method for maintaining security in a packet-switched information network
US20030110394A1 (en) * 2000-05-17 2003-06-12 Sharp Clifford F. System and method for detecting and eliminating IP spoofing in a data transmission network
US20030115322A1 (en) * 2001-12-13 2003-06-19 Moriconi Mark S. System and method for analyzing security policies in a distributed computer network
US20030115484A1 (en) * 1998-10-28 2003-06-19 Moriconi Mark S. System and method for incrementally distributing a security policy in a computer network
US20030115480A1 (en) * 2001-12-17 2003-06-19 Worldcom, Inc. System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks
US20030120955A1 (en) * 1999-01-29 2003-06-26 Lucent Technologies Inc. Method and apparatus for managing a firewall
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US6601233B1 (en) 1999-07-30 2003-07-29 Accenture Llp Business components framework
US20030145104A1 (en) * 2002-01-23 2003-07-31 International Business Machines Corporation Virtual private network and tunnel gateway with multiple overlapping, remote subnets
US20030149787A1 (en) * 2002-02-01 2003-08-07 Mangan John F. Policy based routing system and method for caching and VPN tunneling
US20030149899A1 (en) * 1999-01-29 2003-08-07 International Business Machines Corporation System and method for network address translation integration with IP security
US20030154199A1 (en) * 2001-12-18 2003-08-14 Shawn Thomas Method and system for integrated asset management
US20030154380A1 (en) * 2002-02-08 2003-08-14 James Richmond Controlling usage of network resources by a user at the user's entry point to a communications network based on an identity of the user
US20030152035A1 (en) * 2002-02-08 2003-08-14 Pettit Steven A. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
US20030152067A1 (en) * 2002-02-08 2003-08-14 Enterasys Networks, Inc. Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users
WO2003079605A1 (en) * 2002-03-12 2003-09-25 Reactivity, Inc. Providing security for external access to a protected computer network
US20030191937A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20030191843A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Secure network connection for devices on a private network
US20030191963A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Method and system for securely scanning network traffic
US20030196095A1 (en) * 2002-04-11 2003-10-16 International Business Machines Corporation Detecting dissemination of malicious programs
US20030200441A1 (en) * 2002-04-19 2003-10-23 International Business Machines Corporation Detecting randomness in computer network traffic
EP1370027A1 (en) * 2002-06-05 2003-12-10 T.I.P. Holdings GmbH Computer network leakage detection, location and identification
US20040006708A1 (en) * 2002-07-02 2004-01-08 Lucent Technologies Inc. Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network
EP1381199A1 (en) * 2002-07-12 2004-01-14 Alcatel Firewall for dynamically granting and denying network resources
US20040010598A1 (en) * 2002-05-01 2004-01-15 Bea Systems, Inc. Portal setup wizard
US6701437B1 (en) * 1998-04-17 2004-03-02 Vpnet Technologies, Inc. Method and apparatus for processing communications in a virtual private network
US20040044908A1 (en) * 2002-09-04 2004-03-04 Secure Computing Corporation System and method for transmitting and receiving secure data in a virtual private group
WO2003025697A3 (en) * 2001-09-21 2004-03-04 Riverhead Networks Inc Protecting network traffic against spoofed domain name system (dns) messages
US6704873B1 (en) * 1999-07-30 2004-03-09 Accenture Llp Secure gateway interconnection in an e-commerce based environment
WO2004023307A1 (en) * 2002-09-06 2004-03-18 O2Micro, Inc. Vpn and firewall integrated system
US6718535B1 (en) 1999-07-30 2004-04-06 Accenture Llp System, method and article of manufacture for an activity framework design in an e-commerce based environment
US20040068568A1 (en) * 2002-05-01 2004-04-08 Griffin Philip B. Enterprise application platform
US20040068554A1 (en) * 2002-05-01 2004-04-08 Bea Systems, Inc. Web service-enabled portlet wizard
US20040068562A1 (en) * 2002-10-02 2004-04-08 Tilton Earl W. System and method for managing access to active devices operably connected to a data network
US20040073617A1 (en) * 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20040078432A1 (en) * 2000-02-22 2004-04-22 Yahoo! Inc. Systems and methods for matching participants to a conversation
US20040083382A1 (en) * 2002-10-28 2004-04-29 Secure Computing Corporation Associative policy model
US20040088571A1 (en) * 2002-01-31 2004-05-06 John Jerrim Network service zone locking
US20040097243A1 (en) * 2000-06-30 2004-05-20 Zellner Samuel N. Location blocking service for wireless networks
US20040103211A1 (en) * 2002-11-21 2004-05-27 Jackson Eric S. System and method for managing computer networks
US20040123139A1 (en) * 2002-12-18 2004-06-24 At&T Corp. System having filtering/monitoring of secure connections
WO2004062187A1 (en) * 2002-12-31 2004-07-22 American Express Travel Related Services Company, Inc. Method and system for modular authentication and session management
US20040146006A1 (en) * 2003-01-24 2004-07-29 Jackson Daniel H. System and method for internal network data traffic control
US20040162905A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for role and resource policy management optimization
US20040162733A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for delegated administration
US20040162906A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. System and method for hierarchical role-based entitlements
US20040162880A1 (en) * 2003-02-18 2004-08-19 Arnone David J. Method and system for secure alert messaging
US20040168084A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Federated management of content repositories
US20040167867A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual content repository application program interface
US20040167899A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual content repository browser
US20040172449A1 (en) * 1999-12-02 2004-09-02 Lambertus Hesselink VCR webification
US20040215771A1 (en) * 2002-03-05 2004-10-28 Hayes John W. Concealing a network connected device
US20040220882A1 (en) * 2003-04-29 2004-11-04 Suto Lawrence B. Method and apparatus for a broker entity
US20040230947A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for personalizing a portal
US20040230679A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for portal and web server administration
US20040230917A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for navigating a graphical hierarchy
US20040230557A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for context-sensitive editing
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
US20050021999A1 (en) * 2003-03-03 2005-01-27 Riverhead Networks Inc. Using TCP to authenticate IP source addresses
US20050022023A1 (en) * 2003-07-25 2005-01-27 Stanley Chincheck Systems and methods for providing increased computer security
US20050044352A1 (en) * 2001-08-30 2005-02-24 Riverhead Networks, Inc. Protecting against spoofed DNS messages
US20050066053A1 (en) * 2001-03-20 2005-03-24 Worldcom, Inc. System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks
US20050066166A1 (en) * 2003-07-03 2005-03-24 Chin Ken C.K. Unified wired and wireless switch architecture
US20050063398A1 (en) * 2003-07-03 2005-03-24 Choudhury Abhijit K. Method of implementing L3 switching, network address port translation, and ALG support using a combination of hardware and firmware
US20050081062A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Distributed enterprise security system
EP1524819A2 (en) * 2003-10-17 2005-04-20 Microsoft Corporation Network fingerprinting
GB2407464A (en) * 2002-09-06 2005-04-27 O2Micro Inc VPN and firewall integrated system
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US6898717B1 (en) * 2000-07-20 2005-05-24 International Business Machines Corporation Network domain with secured and unsecured servers
US20050114711A1 (en) * 1999-12-02 2005-05-26 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050138412A1 (en) * 2003-02-14 2005-06-23 Griffin Philip B. Resource management with policies
US20050138186A1 (en) * 1999-12-02 2005-06-23 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050144195A1 (en) * 1999-12-02 2005-06-30 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US6914905B1 (en) 2000-06-16 2005-07-05 Extreme Networks, Inc. Method and system for VLAN aggregation
US20050149481A1 (en) * 1999-12-02 2005-07-07 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050188295A1 (en) * 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US20050210533A1 (en) * 2001-11-30 2005-09-22 Copeland John A Packet Sampling Flow-Based Detection of Network Intrusions
EP1585005A1 (en) * 2004-04-08 2005-10-12 Thomson Multimedia Broadband Belgium Security device and process and associated products
US20050228816A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for content type versions
US20050228827A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for viewing a virtual content repository
US20050228784A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for batch operations in a virtual content repository
US20050234849A1 (en) * 2004-04-13 2005-10-20 Bea Systems, Inc. System and method for content lifecycles
US20050232165A1 (en) * 2000-05-15 2005-10-20 Brawn John M System and method of aggregating discontiguous address ranges into addresses and masks using a plurality of repeating address blocks
US20050240714A1 (en) * 2004-04-13 2005-10-27 Bea Systems, Inc. System and method for virtual content repository deployment
US6961783B1 (en) 2001-12-21 2005-11-01 Networks Associates Technology, Inc. DNS server access control system and method
US20050251506A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for providing content services to a repository
US20050251852A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Distributed enterprise security system
US20050251505A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for information lifecycle workflow integration
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050251502A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for virtual content repository entitlements
US20050251504A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for custom content lifecycles
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US20050268334A1 (en) * 1999-12-02 2005-12-01 Lambertus Hesselink Access and control system for network-enabled devices
US20050272445A1 (en) * 2000-12-19 2005-12-08 Bellsouth Intellectual Property Corporation Location-based security rules
US6976078B1 (en) * 2000-05-08 2005-12-13 International Business Machines Corporation Process for simultaneous user access using access control structures for authoring systems
US6976071B1 (en) * 2000-05-03 2005-12-13 Nortel Networks Limited Detecting if a secure link is alive
US20050287442A1 (en) * 2004-06-21 2005-12-29 Kim Jin H Electrolyte for lithium ion rechargeable battery and lithium ion rechargeable battery including the same
US6986160B1 (en) * 2001-08-31 2006-01-10 Mcafee, Inc. Security scanning system and method utilizing generic IP addresses
US20060028252A1 (en) * 2004-04-13 2006-02-09 Bea Systems, Inc. System and method for content type management
US7006993B1 (en) 1999-05-28 2006-02-28 The Coca-Cola Company Method and apparatus for surrogate control of network-based electronic transactions
US7010696B1 (en) 2001-03-30 2006-03-07 Mcafee, Inc. Method and apparatus for predicting the incidence of a virus
US7016980B1 (en) * 2000-01-18 2006-03-21 Lucent Technologies Inc. Method and apparatus for analyzing one or more firewalls
US20060064469A1 (en) * 2004-09-23 2006-03-23 Cisco Technology, Inc. System and method for URL filtering in a firewall
US7035825B1 (en) * 2000-01-04 2006-04-25 E.Piphany, Inc. Managing relationships of parties interacting on a network
US20060089134A1 (en) * 2000-12-19 2006-04-27 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US7039721B1 (en) * 2001-01-26 2006-05-02 Mcafee, Inc. System and method for protecting internet protocol addresses
US7058976B1 (en) 2000-05-17 2006-06-06 Deep Nines, Inc. Intelligent feedback loop process control system
US20060136590A1 (en) * 2000-05-16 2006-06-22 America Online, Inc. Throttling electronic communications from one or more senders
US7100195B1 (en) 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
US7107464B2 (en) 2001-07-10 2006-09-12 Telecom Italia S.P.A. Virtual private network mechanism incorporating security association processor
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
US7133904B1 (en) * 1999-11-09 2006-11-07 International Business Machines Corporation Client server system, server, client, proxy server control method, proxy server function provision method, storage medium and program transmission apparatus
KR100643281B1 (en) 2004-10-09 2006-11-10 삼성전자주식회사 Apparatus, system and method for security service in home network
US7143151B1 (en) * 1998-05-19 2006-11-28 Hitachi, Ltd. Network management system for generating setup information for a plurality of devices based on common meta-level information
US20060282508A1 (en) * 2005-06-09 2006-12-14 International Business Machines Corporation System and method of responding to a flood attack on a data processing system
US20070005563A1 (en) * 2005-06-30 2007-01-04 Veveo, Inc. Method and system for incremental search with reduced text entry where the relevance of results is a dynamically computed function of user input search string character count
US7162536B1 (en) * 2000-06-20 2007-01-09 Nortel Networks Limited Validation of a connection between arbitrary end-nodes in a communications network
US20070010260A1 (en) * 2000-12-19 2007-01-11 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US20070016945A1 (en) * 2005-07-15 2007-01-18 Microsoft Corporation Automatically generating rules for connection security
US7185368B2 (en) 2000-11-30 2007-02-27 Lancope, Inc. Flow-based detection of network intrusions
US7194767B1 (en) * 2002-06-28 2007-03-20 Sprint Communications Company L.P. Screened subnet having a secured utility VLAN
US20070067589A1 (en) * 2005-09-20 2007-03-22 Cisco Technology, Inc. Smart zoning to enforce interoperability matrix in a storage area network
US20070073672A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for lightweight loading for managing content
US20070073784A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for type inheritance for content management
US20070073673A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for content management security
US20070073661A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing nested types for content management
US20070073674A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing federated events for content management systems
US20070073744A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing link property types for content management
US20070074169A1 (en) * 2005-08-25 2007-03-29 Fortify Software, Inc. Apparatus and method for analyzing and supplementing a program to provide security
US20070073671A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US20070136237A1 (en) * 2005-10-12 2007-06-14 Business Objects, S.A. Apparatus and method for generating reports with masked confidential data
US20070143836A1 (en) * 2005-12-19 2007-06-21 Quest Software, Inc. Apparatus system and method to provide authentication services to legacy applications
US7240076B2 (en) 2004-04-13 2007-07-03 Bea Systems, Inc. System and method for providing a lifecycle for information in a virtual content repository
US20070168547A1 (en) * 2006-01-13 2007-07-19 Fortinet, Inc. Computerized system and method for handling network traffic
US7249374B1 (en) * 2001-01-22 2007-07-24 Cisco Technology, Inc. Method and apparatus for selectively enforcing network security policies using group identifiers
US20070180526A1 (en) * 2001-11-30 2007-08-02 Lancope, Inc. Flow-based detection of network intrusions
US20070192843A1 (en) * 2006-02-13 2007-08-16 Quest Software, Inc. Disconnected credential validation using pre-fetched service tickets
US7266604B1 (en) * 2000-03-31 2007-09-04 Microsoft Corporation Proxy network address translation
US7272625B1 (en) * 1997-03-10 2007-09-18 Sonicwall, Inc. Generalized policy server
US20070220187A1 (en) * 2006-03-20 2007-09-20 Lawrence Kates Virus-resistant computer with data interface for filtering data
US20070266433A1 (en) * 2006-03-03 2007-11-15 Hezi Moore System and Method for Securing Information in a Virtual Computing Environment
US7299489B1 (en) * 2000-05-25 2007-11-20 Lucent Technologies Inc. Method and apparatus for host probing
US20070288992A1 (en) * 2006-06-08 2007-12-13 Kyle Lane Robinson Centralized user authentication system apparatus and method
US20070289017A1 (en) * 2001-01-31 2007-12-13 Lancope, Inc. Network port profiling
US7318237B2 (en) 1998-10-28 2008-01-08 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US20080042899A1 (en) * 1995-06-06 2008-02-21 Stewart Brett B Method and Apparatus for Geographic-Based Communications Service
US7356840B1 (en) * 2001-06-19 2008-04-08 Microstrategy Incorporated Method and system for implementing security filters for reporting systems
US20080086527A1 (en) * 2006-10-06 2008-04-10 Bea Systems, Inc. Groupware portlets for integrating a portal with groupware systems
US20080091803A1 (en) * 2004-05-21 2008-04-17 Li Liu Method for managing a virtual private network
US20080104250A1 (en) * 2006-10-30 2008-05-01 Nikolay Vanyukhin Identity migration system apparatus and method
US20080104220A1 (en) * 2006-10-30 2008-05-01 Nikolay Vanyukhin Identity migration apparatus and method
US20080109890A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Selective auto-revocation of firewall security settings
US20080168559A1 (en) * 2007-01-04 2008-07-10 Cisco Technology, Inc. Protection against reflection distributed denial of service attacks
US7415478B2 (en) 2003-02-20 2008-08-19 Bea Systems, Inc. Virtual repository complex content model
US7418492B1 (en) 2002-06-20 2008-08-26 P-Cube Ltd. System and a method for testing network communication devices
US20080240436A1 (en) * 2005-04-19 2008-10-02 International Business Machines Corporation Method and apparatus for determining whether to encrypt outbound traffic
US20080250484A1 (en) * 2001-12-28 2008-10-09 Chong Lester J System and method for content filtering
US7483904B2 (en) 2003-02-20 2009-01-27 Bea Systems, Inc. Virtual repository content model
US7499948B2 (en) 2001-04-16 2009-03-03 Bea Systems, Inc. System and method for web-based personalization and ecommerce management
US20090089874A1 (en) * 2007-09-27 2009-04-02 Surendranath Mohanty Techniques for virtual private network (vpn) access
US20090113517A1 (en) * 2007-10-31 2009-04-30 Microsoft Corporation Security state aware firewall
US7546353B2 (en) 1999-12-02 2009-06-09 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7568224B1 (en) 2004-12-06 2009-07-28 Cisco Technology, Inc. Authentication of SIP and RTP traffic
US7574738B2 (en) 2002-11-06 2009-08-11 At&T Intellectual Property Ii, L.P. Virtual private network crossovers based on certificates
US7580953B2 (en) 2004-04-13 2009-08-25 Bea Systems, Inc. System and method for schema lifecycles in a virtual content repository that integrates a plurality of content repositories
US7587467B2 (en) 1999-12-02 2009-09-08 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7620733B1 (en) 2005-03-30 2009-11-17 Cisco Technology, Inc. DNS anti-spoofing using UDP
US20100011433A1 (en) * 2008-07-14 2010-01-14 Tufin Software Technologies Ltd. Method of configuring a security gateway and system thereof
US20100069035A1 (en) * 2008-03-14 2010-03-18 Johnson William J Systema and method for location based exchanges of data facilitating distributed location applications
US7711790B1 (en) 2000-08-24 2010-05-04 Foundry Networks, Inc. Securing an accessible computer system
US7725587B1 (en) * 2000-08-24 2010-05-25 Aol Llc Deep packet scan hacker identification
US7730137B1 (en) 2003-12-22 2010-06-01 Aol Inc. Restricting the volume of outbound electronic messages originated by a single entity
US20100138909A1 (en) * 2002-09-06 2010-06-03 O2Micro, Inc. Vpn and firewall integrated system
US20100138535A1 (en) * 2002-03-25 2010-06-03 Lancope, Inc. Network service zone locking
US7774601B2 (en) 2004-04-06 2010-08-10 Bea Systems, Inc. Method for delegated administration
US20100235748A1 (en) * 2008-03-14 2010-09-16 Johnson William J System and method for automated content presentation objects
US20100235274A1 (en) * 2006-03-03 2010-09-16 Yu-Chiuan Chen Anti-terror platform for securing a community against terrorisms
US7821926B2 (en) 1997-03-10 2010-10-26 Sonicwall, Inc. Generalized policy server
US20100325730A1 (en) * 2009-06-17 2010-12-23 Vendor Safe Technologies System and Method for Remotely Securing a Network from Unauthorized Access
US7873991B1 (en) * 2000-02-11 2011-01-18 International Business Machines Corporation Technique of defending against network flooding attacks using a connectionless protocol
US7941837B1 (en) * 2007-04-18 2011-05-10 Juniper Networks, Inc. Layer two firewall with active-active high availability support
US20110113483A1 (en) * 2009-11-11 2011-05-12 Microsoft Corporation Virtual host security profiles
US7953734B2 (en) 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US20110231555A1 (en) * 2000-01-18 2011-09-22 Hashem Mohammad Ebrahimi Brokering state information and identity among user agents, origin servers, and proxies
US20110231443A1 (en) * 1999-02-16 2011-09-22 Clifford Lee Hannel Query interface to policy server
US20110238979A1 (en) * 2010-03-23 2011-09-29 Adventium Labs Device for Preventing, Detecting and Responding to Security Threats
US8051474B1 (en) 2006-09-26 2011-11-01 Avaya Inc. Method and apparatus for identifying trusted sources based on access point
US20120192262A1 (en) * 2001-12-20 2012-07-26 Mcafee, Inc., A Delaware Corporation Network adapter firewall system and method
US8245242B2 (en) 2004-07-09 2012-08-14 Quest Software, Inc. Systems and methods for managing policies on a computer
US8255984B1 (en) 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US20120331104A1 (en) * 2011-04-19 2012-12-27 International Business Machines Corporation Controlling communication among multiple industrial control systems
US20130003582A1 (en) * 2010-03-05 2013-01-03 Ahnlab, Inc. Network splitting device, system and method using virtual environments
US20130016470A1 (en) * 2011-07-13 2013-01-17 Dell Products L.P. Mini Appliance
US8402117B2 (en) 2000-06-30 2013-03-19 At&T Intellectual Property I, L.P. Anonymous location service for wireless networks
US8494501B2 (en) 2000-12-19 2013-07-23 At&T Intellectual Property I, L.P. Identity blocking service from a wireless service provider
US8509813B2 (en) 2000-12-19 2013-08-13 At&T Intellectual Property I, L.P. Location blocking service from a wireless service provider
US8538456B2 (en) 2000-12-19 2013-09-17 At&T Intellectual Property I, L.P. Surveying wireless device users by location
US8578444B2 (en) 2003-09-24 2013-11-05 Info Express, Inc. Systems and methods of controlling network access
US8588130B2 (en) 1999-11-03 2013-11-19 Wayport, Inc. Distributed network communication system to provide wireless access to a computing device at a reduced rate
US8600341B2 (en) 2008-03-14 2013-12-03 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US8606851B2 (en) 1995-06-06 2013-12-10 Wayport, Inc. Method and apparatus for geographic-based communications service
US8639267B2 (en) 2008-03-14 2014-01-28 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US8646031B2 (en) 2010-12-16 2014-02-04 Tufin Software Technologies Ltd Method of generating security rule-set and system thereof
US8666828B1 (en) * 2010-11-10 2014-03-04 Amazon Technologies, Inc. Separating control of network sites
US8676969B2 (en) 2004-02-06 2014-03-18 Microsoft Corporation Network classification
US8843515B2 (en) 2012-03-07 2014-09-23 Snap Trends, Inc. Methods and systems of aggregating information of social networks based on geographical locations via a network
US8897742B2 (en) 2009-11-13 2014-11-25 William J. Johnson System and method for sudden proximal user interface
US8942693B2 (en) 2008-03-14 2015-01-27 William J. Johnson System and method for targeting data processing system(s) with data
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9009798B2 (en) 2000-03-23 2015-04-14 Citibank, N.A. System, method and computer program product for providing unified authentication services for online applications
US9055098B2 (en) 2001-12-20 2015-06-09 Mcafee, Inc. Embedded anti-virus scanner for a network adapter
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9191443B2 (en) 1999-12-02 2015-11-17 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9313187B1 (en) * 2010-11-10 2016-04-12 Amazon Technologies, Inc. Network site customization using proxies
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9466076B2 (en) 2000-12-19 2016-10-11 At&T Intellectual Property I, L.P. Location blocking service from a web advertiser
US9477991B2 (en) 2013-08-27 2016-10-25 Snap Trends, Inc. Methods and systems of aggregating information of geographic context regions of social networks based on geographical locations via a network
US9503420B2 (en) 2013-04-09 2016-11-22 Electronics And Telecommunications Research Institute Logical network separation method and apparatus
US9648454B2 (en) 2000-12-19 2017-05-09 At&T Intellectual Property I, L.P. System and method for permission to access mobile location information
USRE46439E1 (en) 1997-03-10 2017-06-13 Dropbox, Inc. Distributed administration of access to information and interface for same
US9894489B2 (en) 2013-09-30 2018-02-13 William J. Johnson System and method for situational proximity observation alerting privileged recipients
US9961096B1 (en) 2013-09-17 2018-05-01 Cisco Technology, Inc. Distributed behavior based anomaly detection
US10015162B2 (en) * 2015-05-11 2018-07-03 Huawei Technologies Co., Ltd. Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests
US10129273B2 (en) 2001-11-30 2018-11-13 Cisco Technology, Inc. System and methods for computer network security involving user confirmation of network connections
US10387270B2 (en) 2005-04-21 2019-08-20 Justservice.Net Llc Data backup, storage, transfer and retrieval system, method and computer program product
US10411975B2 (en) 2013-03-15 2019-09-10 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with multi-tier deployment policy
US10476868B2 (en) 2005-04-21 2019-11-12 Justservice.Net Llc Data backup and transfer system, method and computer program product
US10491613B1 (en) * 2019-01-22 2019-11-26 Capital One Services, Llc Systems and methods for secure communication in cloud computing environments
US10880189B2 (en) 2008-06-19 2020-12-29 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US11695773B2 (en) 2020-09-28 2023-07-04 Salesforce, Inc. Distributing dynamic access control lists for managing interactions with a cloud datacenter

Citations (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3956615A (en) 1974-06-25 1976-05-11 Ibm Corporation Transaction execution system with secure data storage and communications
US4104721A (en) 1976-12-30 1978-08-01 International Business Machines Corporation Hierarchical security mechanism for dynamically assigning security levels to object programs
US4177510A (en) 1973-11-30 1979-12-04 Compagnie Internationale pour l'Informatique, CII Honeywell Bull Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes
US4442484A (en) 1980-10-14 1984-04-10 Intel Corporation Microprocessor memory management and protection mechanism
US4584639A (en) 1983-12-23 1986-04-22 Key Logic, Inc. Computer security system
US4621321A (en) 1984-02-16 1986-11-04 Honeywell Inc. Secure data processing system architecture
US4648031A (en) 1982-06-21 1987-03-03 International Business Machines Corporation Method and apparatus for restarting a computing system
US4713753A (en) 1985-02-21 1987-12-15 Honeywell Inc. Secure data processing system architecture with format control
US4870571A (en) 1983-05-04 1989-09-26 The Johns Hopkins University Intercomputer communications based on message broadcasting with receiver selection
US4885789A (en) 1988-02-01 1989-12-05 International Business Machines Corporation Remote trusted path mechanism for telnet
US4914568A (en) 1986-10-24 1990-04-03 National Instruments, Inc. Graphical system for modelling a process and associated method
US5093914A (en) 1989-12-15 1992-03-03 At&T Bell Laboratories Method of controlling the execution of object-oriented programs
US5124984A (en) 1990-08-07 1992-06-23 Concord Communications, Inc. Access controller for local area network
US5153918A (en) 1990-11-19 1992-10-06 Vorec Corporation Security system for data communications
US5204961A (en) 1990-06-25 1993-04-20 Digital Equipment Corporation Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
US5228083A (en) 1991-06-28 1993-07-13 Digital Equipment Corporation Cryptographic processing in a communication network, using a single cryptographic engine
EP0554182A1 (en) 1992-01-28 1993-08-04 Electricite De France Method, apparatus and device for message cyphering between interconnected networks
US5263147A (en) 1991-03-01 1993-11-16 Hughes Training, Inc. System for providing high security for personal computers and workstations
US5272754A (en) 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5276735A (en) 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system
US5303303A (en) 1990-07-18 1994-04-12 Gpt Limited Data communication system using encrypted data packets
US5305385A (en) 1991-10-15 1994-04-19 Ungermann-Bass, Inc. Network message security method and apparatus
US5311593A (en) 1992-05-13 1994-05-10 Chipcom Corporation Security system for a network concentrator
US5329623A (en) 1992-06-17 1994-07-12 The Trustees Of The University Of Pennsylvania Apparatus for providing cryptographic support in a network
US5333266A (en) 1992-03-27 1994-07-26 International Business Machines Corporation Method and apparatus for message handling in computer systems
US5355474A (en) 1991-09-27 1994-10-11 Thuraisngham Bhavani M System for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification
US5414833A (en) 1993-10-27 1995-05-09 International Business Machines Corporation Network security system and method using a parallel finite state machine adaptive active monitor and responder
US5416842A (en) 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
GB2287619A (en) 1994-03-03 1995-09-20 Ibm Security device for data communications networks
US5455828A (en) 1992-08-17 1995-10-03 Zisapel; Yehuda Carrier sensing multiple access/collision detection local area networks
US5485460A (en) 1994-08-19 1996-01-16 Microsoft Corporation System and method for running multiple incompatible network protocol stacks
US5511122A (en) 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
WO1996013113A1 (en) 1994-10-12 1996-05-02 Secure Computing Corporation System and method for providing secure internetwork services
US5548646A (en) 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5550984A (en) 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5566170A (en) 1994-12-29 1996-10-15 Storage Technology Corporation Method and apparatus for accelerated packet forwarding
WO1996035994A1 (en) 1995-05-08 1996-11-14 Compuserve Incorporated Rules based electronic message management system
EP0743777A2 (en) 1995-05-18 1996-11-20 Sun Microsystems, Inc. System for packet filtering of data packets at a computer network interface
US5586260A (en) 1993-02-12 1996-12-17 Digital Equipment Corporation Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US5604490A (en) 1994-09-09 1997-02-18 International Business Machines Corporation Method and system for providing a user access to multiple secured subsystems
US5606668A (en) 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5615340A (en) 1994-07-21 1997-03-25 Allied Telesyn Int'l Corp. Network interfacing apparatus and method using repeater and cascade interface with scrambling
US5619648A (en) 1994-11-30 1997-04-08 Lucent Technologies Inc. Message filtering techniques
WO1997013340A1 (en) 1995-09-18 1997-04-10 Digital Secured Networks Technology, Inc. Network security device
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5636371A (en) 1995-06-07 1997-06-03 Bull Hn Information Systems Inc. Virtual network mechanism to access well known port application programs running on a single host system
US5644571A (en) 1992-06-15 1997-07-01 Digital Equipment Corporation Apparatus for message filtering in a network using domain class
WO1997026731A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Data encryption/decryption for network communication
WO1997026734A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Transferring encrypted packets over a public network
WO1997026735A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Key management for network communication
WO1997029413A2 (en) 1996-02-09 1997-08-14 Secure Computing Corporation System and method for achieving network separation
US5671279A (en) 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
US5673322A (en) 1996-03-22 1997-09-30 Bell Communications Research, Inc. System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks
US5684951A (en) 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
US5689566A (en) 1995-10-24 1997-11-18 Nguyen; Minhtam C. Network with secure communications sessions
US5699513A (en) 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
US5706507A (en) 1995-07-05 1998-01-06 International Business Machines Corporation System and method for controlling access to data located on a content server
US5708780A (en) 1995-06-07 1998-01-13 Open Market, Inc. Internet server access control and monitoring systems
US5968176A (en) * 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US5983350A (en) 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status

Patent Citations (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4177510A (en) 1973-11-30 1979-12-04 Compagnie Internationale pour l'Informatique, CII Honeywell Bull Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes
US3956615A (en) 1974-06-25 1976-05-11 Ibm Corporation Transaction execution system with secure data storage and communications
US4104721A (en) 1976-12-30 1978-08-01 International Business Machines Corporation Hierarchical security mechanism for dynamically assigning security levels to object programs
US4442484A (en) 1980-10-14 1984-04-10 Intel Corporation Microprocessor memory management and protection mechanism
US4648031A (en) 1982-06-21 1987-03-03 International Business Machines Corporation Method and apparatus for restarting a computing system
US4870571A (en) 1983-05-04 1989-09-26 The Johns Hopkins University Intercomputer communications based on message broadcasting with receiver selection
US4584639A (en) 1983-12-23 1986-04-22 Key Logic, Inc. Computer security system
US4621321A (en) 1984-02-16 1986-11-04 Honeywell Inc. Secure data processing system architecture
US4701840A (en) 1984-02-16 1987-10-20 Honeywell Inc. Secure data processing system architecture
US4713753A (en) 1985-02-21 1987-12-15 Honeywell Inc. Secure data processing system architecture with format control
US4914568A (en) 1986-10-24 1990-04-03 National Instruments, Inc. Graphical system for modelling a process and associated method
US4885789A (en) 1988-02-01 1989-12-05 International Business Machines Corporation Remote trusted path mechanism for telnet
US5093914A (en) 1989-12-15 1992-03-03 At&T Bell Laboratories Method of controlling the execution of object-oriented programs
US5204961A (en) 1990-06-25 1993-04-20 Digital Equipment Corporation Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
US5303303A (en) 1990-07-18 1994-04-12 Gpt Limited Data communication system using encrypted data packets
US5124984A (en) 1990-08-07 1992-06-23 Concord Communications, Inc. Access controller for local area network
US5153918A (en) 1990-11-19 1992-10-06 Vorec Corporation Security system for data communications
US5263147A (en) 1991-03-01 1993-11-16 Hughes Training, Inc. System for providing high security for personal computers and workstations
US5272754A (en) 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5228083A (en) 1991-06-28 1993-07-13 Digital Equipment Corporation Cryptographic processing in a communication network, using a single cryptographic engine
US5355474A (en) 1991-09-27 1994-10-11 Thuraisngham Bhavani M System for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification
US5305385A (en) 1991-10-15 1994-04-19 Ungermann-Bass, Inc. Network message security method and apparatus
US5583940A (en) 1992-01-28 1996-12-10 Electricite De France - Service National Method, apparatus and device for enciphering messages transmitted between interconnected networks
EP0554182A1 (en) 1992-01-28 1993-08-04 Electricite De France Method, apparatus and device for message cyphering between interconnected networks
US5333266A (en) 1992-03-27 1994-07-26 International Business Machines Corporation Method and apparatus for message handling in computer systems
US5276735A (en) 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system
US5311593A (en) 1992-05-13 1994-05-10 Chipcom Corporation Security system for a network concentrator
US5644571A (en) 1992-06-15 1997-07-01 Digital Equipment Corporation Apparatus for message filtering in a network using domain class
US5329623A (en) 1992-06-17 1994-07-12 The Trustees Of The University Of Pennsylvania Apparatus for providing cryptographic support in a network
US5455828A (en) 1992-08-17 1995-10-03 Zisapel; Yehuda Carrier sensing multiple access/collision detection local area networks
US5586260A (en) 1993-02-12 1996-12-17 Digital Equipment Corporation Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US5414833A (en) 1993-10-27 1995-05-09 International Business Machines Corporation Network security system and method using a parallel finite state machine adaptive active monitor and responder
US5606668A (en) 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
GB2287619A (en) 1994-03-03 1995-09-20 Ibm Security device for data communications networks
US5511122A (en) 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US5416842A (en) 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5615340A (en) 1994-07-21 1997-03-25 Allied Telesyn Int'l Corp. Network interfacing apparatus and method using repeater and cascade interface with scrambling
US5485460A (en) 1994-08-19 1996-01-16 Microsoft Corporation System and method for running multiple incompatible network protocol stacks
US5604490A (en) 1994-09-09 1997-02-18 International Business Machines Corporation Method and system for providing a user access to multiple secured subsystems
US5548646A (en) 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
WO1996013113A1 (en) 1994-10-12 1996-05-02 Secure Computing Corporation System and method for providing secure internetwork services
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5619648A (en) 1994-11-30 1997-04-08 Lucent Technologies Inc. Message filtering techniques
US5550984A (en) 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5566170A (en) 1994-12-29 1996-10-15 Storage Technology Corporation Method and apparatus for accelerated packet forwarding
US5699513A (en) 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
WO1996035994A1 (en) 1995-05-08 1996-11-14 Compuserve Incorporated Rules based electronic message management system
EP0743777A2 (en) 1995-05-18 1996-11-20 Sun Microsystems, Inc. System for packet filtering of data packets at a computer network interface
US5636371A (en) 1995-06-07 1997-06-03 Bull Hn Information Systems Inc. Virtual network mechanism to access well known port application programs running on a single host system
US5708780A (en) 1995-06-07 1998-01-13 Open Market, Inc. Internet server access control and monitoring systems
US5706507A (en) 1995-07-05 1998-01-06 International Business Machines Corporation System and method for controlling access to data located on a content server
WO1997013340A1 (en) 1995-09-18 1997-04-10 Digital Secured Networks Technology, Inc. Network security device
US5689566A (en) 1995-10-24 1997-11-18 Nguyen; Minhtam C. Network with secure communications sessions
US5671279A (en) 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
WO1997026735A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Key management for network communication
WO1997026734A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Transferring encrypted packets over a public network
WO1997026731A1 (en) 1996-01-16 1997-07-24 Raptor Systems, Inc. Data encryption/decryption for network communication
WO1997029413A2 (en) 1996-02-09 1997-08-14 Secure Computing Corporation System and method for achieving network separation
US5918018A (en) * 1996-02-09 1999-06-29 Secure Computing Corporation System and method for achieving network separation
US5684951A (en) 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
US5673322A (en) 1996-03-22 1997-09-30 Bell Communications Research, Inc. System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks
US5983350A (en) 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
US5968176A (en) * 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system

Non-Patent Citations (54)

* Cited by examiner, † Cited by third party
Title
"Answers to Frequently Asked Questions About Network Security", Secure Computing Corporation, p. 1-41 & p. 1-16 (Sep. 25, 1994).
"Sidewinder Internals", Product information, Secure Computing Corporation, 16 p. (Oct. 1994).
"Special Report: Secure Computing Corporation and Network Security", Computer Select, 13 p. (Dec. 1995).
Adam, J.A., "Playing on the Net", IEEE Spectrum, p. 29 (Oct. 1992).
Adam. J.A., "Meta-Matrices", IEEE Spectrum, p. 26 (Oct. 1992).
Ancilotti, P., et al., "Language Features for Access Control", IEEE Transactions on Software Engineering, SE-9, 16-25 (Jan. 1983).
Badger, L., et al., "Practical Domain and Type Enforcement for UNIX", Proceedings of the 1995 IEEE Symposium on Security and Privacy, p. 66-77 (May 1995).
Belkin, N.J., et al., "Information Filtering and Information Retrieval: Two Sides of the Same Coin?", Communications of the ACM, 35, 29-38 (Dec. 1992).
Bellovin, S.M., et al., "Network Firewalls", IEEE Communications Magazine, 32, 50-57 (Sep. 1994).
Bevier, W.R., et al., "Connection Policies and Controlled Interference", Proceedings of the Eighth IEEE Computer Security Foundations Workshop, Kenmare, Ireland, p. 167-176 (Jun. 13-15, 1995).
Boebert, W.E., et al., "Secure Ada Target: Issues, System Design, and Verification", Proceedings of the Symposium on Security and Privacy, Oakland, California, pp. 59-66, (1985).
Boebert, W.E., et al., "Secure Computing: The Secure Ada Target Approach", Sci. Honeyweller, 6(2), 17 pages, (1985).
Bowen, T.F., et al., "The Datacycle Architecture", Communications of the ACM, 35, 71-81 (Dec. 1992).
Bryan, J., "Firewalls For Sale", BYTE, 99-100, 102, 104-105 (Apr. 1995).
Cobb, S., "Establishing Firewall Policy", IEEE, 198-205 (1996).
Damashek, M., "Gauging Similarity with n-Grams: Language-Independent Categorization of Text", Science, 267, 843-848 (Feb. 10, 1995).
Dillaway, B.B., et al., "A Practical Design For A Multilevel Secure Database Management System", American Institute of Aeronautics and Astronautics, Inc., p. 44-57 (Dec. 1986).
Fine, T., et al., "Assuring Distributed Trusted Mach", Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, p. 206-218 (1993).
Foltz, P.W., et al., "Personalized Information Delivery: An Analysis of Information Filtering Methods", Communications of the ACM, 35, 51-60 (Dec. 1992).
Gassman, B., "Internet Security, and Firewalls Protection on the Internet", IEEE, 93-107 (1996).
Goldberg, D., et al., "Using Collaborative Filtering to Weave an Information Tapestry", Communications of the ACM, 35, 61-70 (Dec. 1992).
Grampp, F.T., "UNIX Operating System Security", AT&T Bell Laboratories Technical Journal, 63, 1649-1672 (Oct. 1984).
Greenwald, M., et al., "Designing an Academic Firewall: Policy, Practice, and Experience with SURF", IEEE, 79-92 (1996).
Haigh, J.T., et al., "Extending the Noninterference Version of MLS for SAT", Proceedings of the 1986 IEEE Symposium on Security and Privacy, Oakland, CA, p. 232-239 (Apr. 7-9, 1986).
International Search Report, PCT Application No. PCT/US 95/12681, 8 p. (mailed Apr. 9, 1996).
Karn, P., et al., "The ESP DES-CBC Transform", Network Working Group, Request for Comment No. 1829, http//ds.internic.net/rfc/rfc1829.txt, 9 p. (Aug. 1995).
Kent, S.T., "Internet Privacy Enhanced Mail", Communications of the ACM, 36, 48-60 (Aug. 1993).
Lampson, B.W., et al., "Dynamic Protection Structures", AFIPS Conference Proceedings, 35, 1969 Fall Joint Computer Conference, Las Vegas, NV, 27-38 (Nov. 18-20, 1969).
Lee, K.C., et al., "A Framework for Controlling Cooperative Agents", Computer, 8-16 (Jul. 1993).
Lodin, S.W., et al., "Firewalls Fend Off Invasions from the Net", IEEE Spectrum, 26-34 (Feb. 1998).
Loeb, S., "Architecting Personalized Delivery of Multimedia Information", Communications of the ACM, 35, 39-48 (1992).
Loeb, S., et al., "Information Filtering", Communications of the ACM, 35, 26-28 (Dec. 1992).
McCarthy, S.P., "Hey Hackers? Secure Computing Says You Can't Break into This Telnet Site", Computer Select, 2 p. (Dec. 1995).
Merenbloom, P., "Network "Fire Walls' Safeguard LAN Data from Outside Intrusion", Infoworld, p. 69 & addnl. page (Jul. 25, 1994).
Metzger, P., et al., "IP Authentication using Keyed MD5", Network Working Group, Request for Comments No. 1828, http//ds.internic.net/rfc/rfc1828.txt, 5 p. (Aug. 1995).
News Release: "100% of Hackers Failed to Break Into One Internet Site Protected by Sidewinder(TM)", Secure Computing Corporation (Feb. 16, 1995).
News Release: "100% of Hackers Failed to Break Into One Internet Site Protected by Sidewinder™", Secure Computing Corporation (Feb. 16, 1995).
News Release: "Internet Security System Given "Product of the Year' Award", Secure Computing Corporation (Mar. 28, 1995).
News Release: "SATAN No Threat to Sidewinder(TM)", Secure Computing Corporation (Apr. 26, 1995).
News Release: "SATAN No Threat to Sidewinder™", Secure Computing Corporation (Apr. 26, 1995).
Obraczka, K., et al., "Internet Resource Discovery Services", Computer, 8-22, (Sep. 1993).
Peterson, L.L., et al., In: Computer Networks, Morgan Kaufmann Publishers, Inc., San Francisco, CA, p. 218-221, 284-286 (1996).
Press, L., "The Net: Progress and Opportunity", Communications of the ACM, 35, 21-25 (Dec. 1992).
Schroeder, M.D., et al., "A Hardware Architecture for Implementing Protection Rings", Communications of the ACM, 15, 157-170 (Mar. 1972).
Schwartz, M.F., "Internet Resource Discovery at the University of Colorado", Computer, 25-35 (Sep. 1993).
Smith, R.E., "Constructing a High Assurance Mail Guard", Secure Computing Corporation (Appeared in the Proceedings of the National Computer Security Conference), 7 p. (1994).
Smith, R.E., "Sidewinder: Defense in Depth Using Type Enforcement", International Journal of Network Management, p. 219-229 (Jul.-Aug. 1995).
Stadnyk, I., et al., "Modeling User's Interests in Information Filters", Communications of the ACM, 35, 49-50 (Dec. 1992).
Stempel, S., "IpAccess-An Internet Service Access System for Firewall Installations", IEEE, 31-41 (1995).
Stevens, C., "Automating the Creation of Information Filters", Communications of the ACM, 35, 48 (Dec. 1992).
Thomsen, D., "Type Enforcement: The New Security Model", SPIE, 2617, 143-150 (1995).
Warrier, U.S., et al., "A Platform for Heterogeneous Interconnection Network Management", IEEE Journal on Selected Areas in Communications, 8, 119-126 (Jan. 1990).
White, L.J., et al., "A Firewall Concept for Both Control-Flow and Data-Flow in Regression Integration Testing", IEEE, 262-271 (1992).
Wolfe, A., "Honeywell Builds Hardware for Computer Security", Electronics, 14-15 (Sep. 2, 1985).

Cited By (677)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8606851B2 (en) 1995-06-06 2013-12-10 Wayport, Inc. Method and apparatus for geographic-based communications service
US20080049696A1 (en) * 1995-06-06 2008-02-28 Stewart Brett B Method and apparatus for geographic-based communications service
US8929915B2 (en) 1995-06-06 2015-01-06 Wayport, Inc. Providing information to a computing device based on known location and user information
US8478887B2 (en) 1995-06-06 2013-07-02 Wayport, Inc. Providing advertisements to a computing device based on a predetermined criterion of a wireless access point
US8631128B2 (en) 1995-06-06 2014-01-14 Wayport, Inc. Method and apparatus for geographic-based communications service
US20080042900A1 (en) * 1995-06-06 2008-02-21 Stewart Brett B Method and Apparatus for Geographic-Based Communications Service
US8417763B2 (en) 1995-06-06 2013-04-09 Wayport, Inc. Providing information to a computing device based on known location and user information
US8892736B2 (en) 1995-06-06 2014-11-18 Wayport, Inc. Providing an advertisement based on a geographic location of a wireless access point
US7840689B2 (en) 1995-06-06 2010-11-23 Wayport, Inc. Dynamically modifying the display of a computing device to provide advertisements
US8509246B2 (en) 1995-06-06 2013-08-13 Wayport, Inc. Method and apparatus for geographic-based communications service
US8583723B2 (en) 1995-06-06 2013-11-12 Wayport, Inc. Receiving location based advertisements on a wireless communication device
US20080042899A1 (en) * 1995-06-06 2008-02-21 Stewart Brett B Method and Apparatus for Geographic-Based Communications Service
US8250204B2 (en) 1995-06-06 2012-08-21 Wayport, Inc. Method and apparatus for geographic-based communications service
US8199733B2 (en) 1995-06-06 2012-06-12 Wayport, Inc. Method and apparatus for geographic-based communications service
US8095647B2 (en) 1995-06-06 2012-01-10 Wayport, Inc. Method and apparatus for geographic-based communications service
US8990287B2 (en) 1995-06-06 2015-03-24 Wayport, Inc. Providing promotion information to a device based on location
US6401204B1 (en) * 1996-06-05 2002-06-04 Siemens Aktiengesellschaft Process for cryptographic code management between a first computer unit and a second computer unit
US8935311B2 (en) 1997-03-10 2015-01-13 Sonicwall, Inc. Generalized policy server
US9154489B2 (en) 1997-03-10 2015-10-06 Dell Software Inc. Query interface to policy server
US7821926B2 (en) 1997-03-10 2010-10-26 Sonicwall, Inc. Generalized policy server
USRE46439E1 (en) 1997-03-10 2017-06-13 Dropbox, Inc. Distributed administration of access to information and interface for same
US9438577B2 (en) 1997-03-10 2016-09-06 Dell Software Inc. Query interface to policy server
US9331992B2 (en) 1997-03-10 2016-05-03 Dell Software Inc. Access control
US9276920B2 (en) 1997-03-10 2016-03-01 Dell Software Inc. Tunneling using encryption
US7272625B1 (en) * 1997-03-10 2007-09-18 Sonicwall, Inc. Generalized policy server
US6453419B1 (en) * 1998-03-18 2002-09-17 Secure Computing Corporation System and method for implementing a security policy
US6701437B1 (en) * 1998-04-17 2004-03-02 Vpnet Technologies, Inc. Method and apparatus for processing communications in a virtual private network
US7143151B1 (en) * 1998-05-19 2006-11-28 Hitachi, Ltd. Network management system for generating setup information for a plurality of devices based on common meta-level information
US6438612B1 (en) * 1998-09-11 2002-08-20 Ssh Communications Security, Ltd. Method and arrangement for secure tunneling of data between virtual routers
US7673323B1 (en) 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US20030115484A1 (en) * 1998-10-28 2003-06-19 Moriconi Mark S. System and method for incrementally distributing a security policy in a computer network
US7506357B1 (en) 1998-10-28 2009-03-17 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US7363650B2 (en) 1998-10-28 2008-04-22 Bea Systems, Inc. System and method for incrementally distributing a security policy in a computer network
US7318237B2 (en) 1998-10-28 2008-01-08 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US6832322B1 (en) * 1999-01-29 2004-12-14 International Business Machines Corporation System and method for network address translation integration with IP security
US7146639B2 (en) 1999-01-29 2006-12-05 Lucent Technologies Inc. Method and apparatus for managing a firewall
US20060288409A1 (en) * 1999-01-29 2006-12-21 Yair Bartal Method and apparatus for managing a firewall
US7401354B2 (en) * 1999-01-29 2008-07-15 International Business Machines Corporation System and method for network address translation integration with IP Security
US20030120955A1 (en) * 1999-01-29 2003-06-26 Lucent Technologies Inc. Method and apparatus for managing a firewall
US20030149899A1 (en) * 1999-01-29 2003-08-07 International Business Machines Corporation System and method for network address translation integration with IP security
US20110231443A1 (en) * 1999-02-16 2011-09-22 Clifford Lee Hannel Query interface to policy server
US8914410B2 (en) 1999-02-16 2014-12-16 Sonicwall, Inc. Query interface to policy server
US6546546B1 (en) * 1999-05-19 2003-04-08 International Business Machines Corporation Integrating operating systems and run-time systems
US7006993B1 (en) 1999-05-28 2006-02-28 The Coca-Cola Company Method and apparatus for surrogate control of network-based electronic transactions
US7305473B2 (en) 1999-05-28 2007-12-04 The Coca-Cola Company Provision of transparent proxy services to a user of a client device
US20010037292A1 (en) * 1999-05-28 2001-11-01 David Vogt Provision of transparent proxy services to a user of a client device
US6718535B1 (en) 1999-07-30 2004-04-06 Accenture Llp System, method and article of manufacture for an activity framework design in an e-commerce based environment
US6704873B1 (en) * 1999-07-30 2004-03-09 Accenture Llp Secure gateway interconnection in an e-commerce based environment
US7100195B1 (en) 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
US6601233B1 (en) 1999-07-30 2003-07-29 Accenture Llp Business components framework
US8588130B2 (en) 1999-11-03 2013-11-19 Wayport, Inc. Distributed network communication system to provide wireless access to a computing device at a reduced rate
US7133904B1 (en) * 1999-11-09 2006-11-07 International Business Machines Corporation Client server system, server, client, proxy server control method, proxy server function provision method, storage medium and program transmission apparatus
US20040172449A1 (en) * 1999-12-02 2004-09-02 Lambertus Hesselink VCR webification
US7934251B2 (en) 1999-12-02 2011-04-26 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7788404B2 (en) 1999-12-02 2010-08-31 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US10382526B2 (en) 1999-12-02 2019-08-13 Western Digital Technologies, Inc. Program recording webification
US8661507B1 (en) 1999-12-02 2014-02-25 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US8688797B2 (en) 1999-12-02 2014-04-01 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US10291686B2 (en) 1999-12-02 2019-05-14 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9348864B1 (en) 1999-12-02 2016-05-24 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9894141B2 (en) 1999-12-02 2018-02-13 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050268334A1 (en) * 1999-12-02 2005-12-01 Lambertus Hesselink Access and control system for network-enabled devices
US20050138186A1 (en) * 1999-12-02 2005-06-23 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7546353B2 (en) 1999-12-02 2009-06-09 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9807147B1 (en) 1999-12-02 2017-10-31 Western Digital Technologies, Inc. Program recording webification
US9191443B2 (en) 1999-12-02 2015-11-17 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050149481A1 (en) * 1999-12-02 2005-07-07 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US8793374B2 (en) 1999-12-02 2014-07-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7917628B2 (en) 1999-12-02 2011-03-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7600036B2 (en) 1999-12-02 2009-10-06 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US9071574B1 (en) 1999-12-02 2015-06-30 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US8341275B1 (en) 1999-12-02 2012-12-25 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US8352567B2 (en) 1999-12-02 2013-01-08 Western Digital Technologies, Inc. VCR webification
US7587467B2 (en) 1999-12-02 2009-09-08 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20050114711A1 (en) * 1999-12-02 2005-05-26 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7120692B2 (en) 1999-12-02 2006-10-10 Senvid, Inc. Access and control system for network-enabled devices
US20050144195A1 (en) * 1999-12-02 2005-06-30 Lambertus Hesselink Managed peer-to-peer applications, systems and methods for distributed data access and storage
US20020129142A1 (en) * 1999-12-21 2002-09-12 Valerie Favier Method and device for configuring a firewall in a computer system
US7225255B2 (en) * 1999-12-21 2007-05-29 Evidian Method and system for controlling access to network resources using resource groups
WO2001046807A1 (en) * 1999-12-22 2001-06-28 Mci Worldcom, Inc. An overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US20060156402A1 (en) * 1999-12-22 2006-07-13 Worldcom, Inc. Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US7062782B1 (en) * 1999-12-22 2006-06-13 Uunet Technologies, Inc. Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US8234707B2 (en) 1999-12-22 2012-07-31 Mci International, Inc. Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US7035825B1 (en) * 2000-01-04 2006-04-25 E.Piphany, Inc. Managing relationships of parties interacting on a network
US20110231555A1 (en) * 2000-01-18 2011-09-22 Hashem Mohammad Ebrahimi Brokering state information and identity among user agents, origin servers, and proxies
US8850017B2 (en) * 2000-01-18 2014-09-30 Novell, Inc. Brokering state information and identity among user agents, origin servers, and proxies
US7016980B1 (en) * 2000-01-18 2006-03-21 Lucent Technologies Inc. Method and apparatus for analyzing one or more firewalls
WO2001057669A1 (en) * 2000-02-04 2001-08-09 Bionetrix Systems Corporation System, method and computer program product for enrolling and authenticating communication protocol-enabled clients for access to information
US7082467B2 (en) * 2000-02-10 2006-07-25 Hughes Network Systems Method and device for selective transport level spoofing based on information in transport level packet
US20020133596A1 (en) * 2000-02-10 2002-09-19 John Border Selective spoofer and method of performing selective spoofing
US7873991B1 (en) * 2000-02-11 2011-01-18 International Business Machines Corporation Technique of defending against network flooding attacks using a connectionless protocol
US20040078432A1 (en) * 2000-02-22 2004-04-22 Yahoo! Inc. Systems and methods for matching participants to a conversation
US7120668B2 (en) * 2000-02-22 2006-10-10 Yahoo!, Inc. Systems and methods for matching participants to a conversation
US20020108059A1 (en) * 2000-03-03 2002-08-08 Canion Rodney S. Network security accelerator
US20070162973A1 (en) * 2000-03-16 2007-07-12 Counterpane Internet Security, Inc. Method and System for Dynamic Network Intrusion Monitoring, Detection and Response
US20020087882A1 (en) * 2000-03-16 2002-07-04 Bruce Schneier Mehtod and system for dynamic network intrusion monitoring detection and response
US7895641B2 (en) 2000-03-16 2011-02-22 Bt Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US7159237B2 (en) * 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US9009798B2 (en) 2000-03-23 2015-04-14 Citibank, N.A. System, method and computer program product for providing unified authentication services for online applications
US9438633B1 (en) 2000-03-23 2016-09-06 Citibank, N.A. System, method and computer program product for providing unified authentication services for online applications
US7266604B1 (en) * 2000-03-31 2007-09-04 Microsoft Corporation Proxy network address translation
US6976071B1 (en) * 2000-05-03 2005-12-13 Nortel Networks Limited Detecting if a secure link is alive
US6976078B1 (en) * 2000-05-08 2005-12-13 International Business Machines Corporation Process for simultaneous user access using access control structures for authoring systems
US20050232165A1 (en) * 2000-05-15 2005-10-20 Brawn John M System and method of aggregating discontiguous address ranges into addresses and masks using a plurality of repeating address blocks
US20010037384A1 (en) * 2000-05-15 2001-11-01 Brian Jemes System and method for implementing a virtual backbone on a common network infrastructure
US20010042213A1 (en) * 2000-05-15 2001-11-15 Brian Jemes System and method for implementing network security policies on a common network infrastructure
US20020066030A1 (en) * 2000-05-15 2002-05-30 Brawn John Melvin Secure network and method of establishing communication amongst network devices that have restricted network connectivity
US7263719B2 (en) 2000-05-15 2007-08-28 Hewlett-Packard Development Company, L.P. System and method for implementing network security policies on a common network infrastructure
US7024686B2 (en) * 2000-05-15 2006-04-04 Hewlett-Packard Development Company, L.P. Secure network and method of establishing communication amongst network devices that have restricted network connectivity
US7020718B2 (en) 2000-05-15 2006-03-28 Hewlett-Packard Development Company, L.P. System and method of aggregating discontiguous address ranges into addresses and masks using a plurality of repeating address blocks
US7400591B2 (en) 2000-05-15 2008-07-15 Hewlett-Packard Development Company, L.P. Method of creating an address and a discontiguous mask for a network security policy area
US7788329B2 (en) 2000-05-16 2010-08-31 Aol Inc. Throttling electronic communications from one or more senders
US20060136590A1 (en) * 2000-05-16 2006-06-22 America Online, Inc. Throttling electronic communications from one or more senders
US7865945B2 (en) 2000-05-17 2011-01-04 Sharp Clifford F System and method for detecting and eliminating IP spoofing in a data transmission network
US20090288156A1 (en) * 2000-05-17 2009-11-19 Deep Nines, Inc. System and method for detecting and eliminating ip spoofing in a data transmission network
US20020131366A1 (en) * 2000-05-17 2002-09-19 Sharp Clifford F. System and method for traffic management control in a data transmission network
US6930978B2 (en) 2000-05-17 2005-08-16 Deep Nines, Inc. System and method for traffic management control in a data transmission network
US20030110394A1 (en) * 2000-05-17 2003-06-12 Sharp Clifford F. System and method for detecting and eliminating IP spoofing in a data transmission network
US7380272B2 (en) 2000-05-17 2008-05-27 Deep Nines Incorporated System and method for detecting and eliminating IP spoofing in a data transmission network
US7058976B1 (en) 2000-05-17 2006-06-06 Deep Nines, Inc. Intelligent feedback loop process control system
US20020059517A1 (en) * 2000-05-24 2002-05-16 Yaron Haviv Filtered application-to-application communication
WO2001090838A3 (en) * 2000-05-24 2002-04-04 Voltaire Advanced Data Securit Filtered application-to-application communication
US7216225B2 (en) 2000-05-24 2007-05-08 Voltaire Ltd. Filtered application-to-application communication
WO2001090838A2 (en) * 2000-05-24 2001-11-29 Voltaire Advanced Data Security Ltd. Filtered application-to-application communication
US7299489B1 (en) * 2000-05-25 2007-11-20 Lucent Technologies Inc. Method and apparatus for host probing
US6914905B1 (en) 2000-06-16 2005-07-05 Extreme Networks, Inc. Method and system for VLAN aggregation
US7792058B1 (en) 2000-06-16 2010-09-07 Extreme Networks, Inc. Method and system for VLAN aggregation
US20040073617A1 (en) * 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20100205265A1 (en) * 2000-06-19 2010-08-12 Azure Networks, Llc Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20100205671A1 (en) * 2000-06-19 2010-08-12 Azure Networks, Llc Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US8272060B2 (en) 2000-06-19 2012-09-18 Stragent, Llc Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US8204945B2 (en) 2000-06-19 2012-06-19 Stragent, Llc Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US7162536B1 (en) * 2000-06-20 2007-01-09 Nortel Networks Limited Validation of a connection between arbitrary end-nodes in a communications network
US8402117B2 (en) 2000-06-30 2013-03-19 At&T Intellectual Property I, L.P. Anonymous location service for wireless networks
US7664509B2 (en) 2000-06-30 2010-02-16 At&T Intellectual Property I, L.P. Location blocking service for wireless networks
US9571958B2 (en) 2000-06-30 2017-02-14 At&T Intellectual Propery I, L.P. Anonymous location service for wireless networks
US8645505B2 (en) 2000-06-30 2014-02-04 At&T Intellectual Property I, L.P. Anonymous location service for wireless networks
US20040097243A1 (en) * 2000-06-30 2004-05-20 Zellner Samuel N. Location blocking service for wireless networks
US6898717B1 (en) * 2000-07-20 2005-05-24 International Business Machines Corporation Network domain with secured and unsecured servers
US20100235506A1 (en) * 2000-08-24 2010-09-16 Foundry Networks, Inc. Securing an accessible computer system
US8001244B2 (en) 2000-08-24 2011-08-16 Aol Inc. Deep packet scan hacker identification
US8645537B2 (en) 2000-08-24 2014-02-04 Citrix Systems, Inc. Deep packet scan hacker identification
US7711790B1 (en) 2000-08-24 2010-05-04 Foundry Networks, Inc. Securing an accessible computer system
US7725587B1 (en) * 2000-08-24 2010-05-25 Aol Llc Deep packet scan hacker identification
US7743144B1 (en) 2000-08-24 2010-06-22 Foundry Networks, Inc. Securing an access provider
US9288218B2 (en) 2000-08-24 2016-03-15 Foundry Networks, Llc Securing an accessible computer system
US8850046B2 (en) 2000-08-24 2014-09-30 Foundry Networks Llc Securing an access provider
US20100198969A1 (en) * 2000-08-24 2010-08-05 Aol Llc Deep Packet Scan Hacker Identification
US20100217863A1 (en) * 2000-08-24 2010-08-26 Foundry Networks, Inc. Securing An Access Provider
US8108531B2 (en) 2000-08-24 2012-01-31 Foundry Networks, Inc. Securing an access provider
US20050108037A1 (en) * 2000-09-12 2005-05-19 Anish Bhimani Information sharing and analysis system and method
WO2002023366A1 (en) * 2000-09-12 2002-03-21 Global Integrity Information sharing and analysis system and method
US6807569B1 (en) 2000-09-12 2004-10-19 Science Applications International Corporation Trusted and anonymous system and method for sharing threat data to industry assets
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
US7487207B2 (en) 2000-09-28 2009-02-03 Bea Systems, Inc. System and method for determining the functionality of a software application based on nodes within the software application and transitions between the nodes
US20020138556A1 (en) * 2000-09-28 2002-09-26 Neil Smithline System for managing logical process flow in an online environment
US7051069B2 (en) * 2000-09-28 2006-05-23 Bea Systems, Inc. System for managing logical process flow in an online environment
US20060143267A1 (en) * 2000-09-28 2006-06-29 Bea Systems, Inc. System for managing logical process flow in an online environment
US7185368B2 (en) 2000-11-30 2007-02-27 Lancope, Inc. Flow-based detection of network intrusions
US7296292B2 (en) * 2000-12-15 2007-11-13 International Business Machines Corporation Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications
US7269647B2 (en) 2000-12-15 2007-09-11 International Business Machines Corporation Simplified network packet analyzer for distributed packet snooper
US20020078231A1 (en) * 2000-12-15 2002-06-20 Ibm Corporation Simplified network packet analyzer for distributed packet snooper
US20020078377A1 (en) * 2000-12-15 2002-06-20 Ching-Jye Chang Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications
US6915351B2 (en) * 2000-12-18 2005-07-05 Sun Microsystems, Inc. Community separation control in a closed multi-community node
US7296291B2 (en) * 2000-12-18 2007-11-13 Sun Microsystems, Inc. Controlled information flow between communities via a firewall
US20020078370A1 (en) * 2000-12-18 2002-06-20 Tahan Thomas E. Controlled information flow between communities via a firewall
US20020078199A1 (en) * 2000-12-18 2002-06-20 Tahan Thomas E. Community separation control in a closed multi-community node
US8825035B2 (en) 2000-12-19 2014-09-02 At&T Intellectual Property I, L.P. System and method for remote control of appliances utilizing mobile location-based applications
US8538456B2 (en) 2000-12-19 2013-09-17 At&T Intellectual Property I, L.P. Surveying wireless device users by location
US10217137B2 (en) 2000-12-19 2019-02-26 Google Llc Location blocking service from a web advertiser
US10354079B2 (en) 2000-12-19 2019-07-16 Google Llc Location-based security rules
US9020489B2 (en) 2000-12-19 2015-04-28 At&T Intellectual Property I, L.P. System and method for using location information to execute an action
US7428411B2 (en) * 2000-12-19 2008-09-23 At&T Delaware Intellectual Property, Inc. Location-based security rules
US8874140B2 (en) 2000-12-19 2014-10-28 At&T Intellectual Property I, L.P. Location blocking service from a wireless service provider
US9852450B2 (en) 2000-12-19 2017-12-26 At&T Intellectual Property I, L.P. Location blocking service from a web advertiser
US9501780B2 (en) 2000-12-19 2016-11-22 At&T Intellectual Property I, L.P. Surveying wireless device users by location
US20080299957A1 (en) * 2000-12-19 2008-12-04 Zellner Samuel N System and method for using location information to execute an action
US8509813B2 (en) 2000-12-19 2013-08-13 At&T Intellectual Property I, L.P. Location blocking service from a wireless service provider
US8805414B2 (en) 2000-12-19 2014-08-12 At&T Intellectual Property I, L.P. Surveying wireless device users by location
US9763091B2 (en) 2000-12-19 2017-09-12 At&T Intellectual Property I, L.P. Location blocking service from a wireless service provider
US7593712B2 (en) 2000-12-19 2009-09-22 At&T Intellectual Property I, L.P. System and method for using location information to execute an action
US8755777B2 (en) 2000-12-19 2014-06-17 At&T Intellectual Property I, L.P. Identity blocking service from a wireless service provider
US7941130B2 (en) 2000-12-19 2011-05-10 At&T Intellectual Property I, Lp System and method for using location information to execute an action
US8644506B2 (en) 2000-12-19 2014-02-04 At&T Intellectual Property I, L.P. Location-based security rules
US8260239B2 (en) 2000-12-19 2012-09-04 At&T Intellectual Property I, Lp System and method for using location information to execute an action
US20080096529A1 (en) * 2000-12-19 2008-04-24 Samuel Zellner Location-Based Security Rules
US9648454B2 (en) 2000-12-19 2017-05-09 At&T Intellectual Property I, L.P. System and method for permission to access mobile location information
US20060099966A1 (en) * 2000-12-19 2006-05-11 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US20060089134A1 (en) * 2000-12-19 2006-04-27 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US8494501B2 (en) 2000-12-19 2013-07-23 At&T Intellectual Property I, L.P. Identity blocking service from a wireless service provider
US20070010260A1 (en) * 2000-12-19 2007-01-11 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US20070042789A1 (en) * 2000-12-19 2007-02-22 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US9584647B2 (en) 2000-12-19 2017-02-28 At&T Intellectual Property I, L.P. System and method for remote control of appliances utilizing mobile location-based applications
US8639235B2 (en) 2000-12-19 2014-01-28 At&T Intellectual Property I, L.P. System and method for using location information to execute an action
US9466076B2 (en) 2000-12-19 2016-10-11 At&T Intellectual Property I, L.P. Location blocking service from a web advertiser
US20050272445A1 (en) * 2000-12-19 2005-12-08 Bellsouth Intellectual Property Corporation Location-based security rules
US20020124069A1 (en) * 2000-12-28 2002-09-05 Hatalkar Atul N. Broadcast communication system with dynamic client-group memberships
US20020091795A1 (en) * 2001-01-05 2002-07-11 Michael Yip Method and system of aggregate multiple VLANs in a metropolitan area network
US6912592B2 (en) 2001-01-05 2005-06-28 Extreme Networks, Inc. Method and system of aggregate multiple VLANs in a metropolitan area network
US20020133586A1 (en) * 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network
US7249374B1 (en) * 2001-01-22 2007-07-24 Cisco Technology, Inc. Method and apparatus for selectively enforcing network security policies using group identifiers
US20070204333A1 (en) * 2001-01-22 2007-08-30 Eliot Lear Method and apparatus for selectively enforcing network security policies using group identifiers
US7039721B1 (en) * 2001-01-26 2006-05-02 Mcafee, Inc. System and method for protecting internet protocol addresses
US20070289017A1 (en) * 2001-01-31 2007-12-13 Lancope, Inc. Network port profiling
US7290283B2 (en) 2001-01-31 2007-10-30 Lancope, Inc. Network port profiling
US20020144156A1 (en) * 2001-01-31 2002-10-03 Copeland John A. Network port profiling
US7886358B2 (en) 2001-01-31 2011-02-08 Lancope, Inc. Network port profiling
US8510476B2 (en) * 2001-02-15 2013-08-13 Brooks Automation, Inc. Secure remote diagnostic customer support network
US20020112064A1 (en) * 2001-02-15 2002-08-15 Roger Eastvold Customer support network
WO2002065319A1 (en) * 2001-02-15 2002-08-22 Brooks Automation, Inc. Customer support network
US20040078599A1 (en) * 2001-03-01 2004-04-22 Storeage Networking Technologies Storage area network (san) security
US7437753B2 (en) 2001-03-01 2008-10-14 Lsi Technologies Israel Ltd. Storage area network (SAN) security
WO2002071224A1 (en) * 2001-03-01 2002-09-12 Storeage Networking Technologies Storage area network (san) security
US20020133717A1 (en) * 2001-03-13 2002-09-19 Ciongoli Bernard M. Physical switched network security
US20130283379A1 (en) * 2001-03-20 2013-10-24 Verizon Corporate Services Group Inc. System, method and apparatus that employ virtual private networks to resist ip qos denial of service attacks
US6778498B2 (en) 2001-03-20 2004-08-17 Mci, Inc. Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
US8543734B2 (en) 2001-03-20 2013-09-24 Verizon Business Global Llc System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks
US7447151B2 (en) 2001-03-20 2008-11-04 Verizon Business Global Llc Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
WO2002076050A1 (en) * 2001-03-20 2002-09-26 Worldcom, Inc. Virtual private network (vpn)-aware customer premises equipment (cpe) edge router
US20050066053A1 (en) * 2001-03-20 2005-03-24 Worldcom, Inc. System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks
US20040208122A1 (en) * 2001-03-20 2004-10-21 Mcdysan David E. Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
US9009812B2 (en) * 2001-03-20 2015-04-14 Verizon Patent And Licensing Inc. System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks
US7809860B2 (en) 2001-03-20 2010-10-05 Verizon Business Global Llc System, method and apparatus that isolate virtual private network (VPN) and best effort traffic to resist denial of service attacks
WO2002076029A1 (en) * 2001-03-20 2002-09-26 Worldcom, Inc. System, method and apparatus that isolate virtual private network (vpn) and best effort traffic to resist denial of service attacks
WO2002077756A3 (en) * 2001-03-27 2003-05-01 Coca Cola Co Provision of transparent proxy services to a user of a client device
WO2002077756A2 (en) * 2001-03-27 2002-10-03 The Coca-Cola Company Provision of transparent proxy services to a user of a client device
US7010696B1 (en) 2001-03-30 2006-03-07 Mcafee, Inc. Method and apparatus for predicting the incidence of a virus
US20020152326A1 (en) * 2001-04-03 2002-10-17 David Orshan System, method and computer program product for facilitating local internet service providers to deliver guaranteed bandwidth internet service
US20030041050A1 (en) * 2001-04-16 2003-02-27 Greg Smith System and method for web-based marketing and campaign management
US7499948B2 (en) 2001-04-16 2009-03-03 Bea Systems, Inc. System and method for web-based personalization and ecommerce management
US20060280201A1 (en) * 2001-04-18 2006-12-14 Skypilot Networks, Inc. Network channel access protocol - slot scheduling
US7356043B2 (en) 2001-04-18 2008-04-08 Skypilot Networks, Inc. Network channel access protocol—slot scheduling
US7283494B2 (en) 2001-04-18 2007-10-16 Skypilot Networks, Inc. Network channel access protocol-interference and load adaptive
US20020176381A1 (en) * 2001-04-18 2002-11-28 Skypilot Network, Inc. Network channel access protocol - slot allocation
US20020176396A1 (en) * 2001-04-18 2002-11-28 Skypilot Network, Inc. Network channel access protocol-interference and load adaptive
US7149183B2 (en) 2001-04-18 2006-12-12 Skypilot Networks, Inc. Network channel access protocol - slot allocation
US20020154622A1 (en) * 2001-04-18 2002-10-24 Skypilot Network, Inc. Network channel access protocol - slot scheduling
US7113519B2 (en) 2001-04-18 2006-09-26 Skypilot Networks, Inc. Network channel access protocol—slot scheduling
US7339947B2 (en) 2001-04-18 2008-03-04 Skypilot Networks, Inc. Network channel access protocol—frame execution
WO2002091674A1 (en) * 2001-05-04 2002-11-14 Jai-Hyoung Rhee Network traffic flow control system
US7036148B2 (en) * 2001-05-08 2006-04-25 International Business Machines Corporation Method of operating an intrusion detection system according to a set of business rules
US20020169982A1 (en) * 2001-05-08 2002-11-14 International Business Machines Corporation Method of operating an intrusion detection system according to a set of business rules
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US7536715B2 (en) 2001-05-25 2009-05-19 Secure Computing Corporation Distributed firewall system and method
US7392546B2 (en) * 2001-06-11 2008-06-24 Bea Systems, Inc. System and method for server security and entitlement processing
US20020188869A1 (en) * 2001-06-11 2002-12-12 Paul Patrick System and method for server security and entitlement processing
US7823189B2 (en) 2001-06-11 2010-10-26 Bea Systems, Inc. System and method for dynamic role association
US20070157297A1 (en) * 2001-06-11 2007-07-05 Bea Systems, Inc. System and method for server security and entitlement processing
US7356840B1 (en) * 2001-06-19 2008-04-08 Microstrategy Incorporated Method and system for implementing security filters for reporting systems
US20030005122A1 (en) * 2001-06-27 2003-01-02 International Business Machines Corporation In-kernel content-aware service differentiation
US8024424B2 (en) 2001-06-27 2011-09-20 International Business Machines Corporation In-kernal content-aware service differentiation
US7315892B2 (en) * 2001-06-27 2008-01-01 International Business Machines Corporation In-kernel content-aware service differentiation
US20090307350A1 (en) * 2001-06-27 2009-12-10 Douglas Morgan Freimuth In-kernal content-aware service differentiation
US6513122B1 (en) 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
US8176553B1 (en) * 2001-06-29 2012-05-08 Mcafee, Inc. Secure gateway with firewall and intrusion detection capabilities
KR20030003593A (en) * 2001-07-03 2003-01-10 (주) 해커스랩 Network Security System and Method for applying Security Rule for Restricted Condition
US20050055444A1 (en) * 2001-07-06 2005-03-10 Krishnan Venkatasubramanian Systems and methods of information backup
WO2003005245A3 (en) * 2001-07-06 2003-11-13 Computer Ass Think Inc Systems and methods of information backup
US9002910B2 (en) 2001-07-06 2015-04-07 Ca, Inc. Systems and methods of information backup
US20050038836A1 (en) * 2001-07-06 2005-02-17 Jianxin Wang Systems and methods of information backup
US7389292B2 (en) 2001-07-06 2008-06-17 Computer Associates Think, Inc. Systems and methods of information backup
US8370450B2 (en) 2001-07-06 2013-02-05 Ca, Inc. Systems and methods for information backup
US20050172093A1 (en) * 2001-07-06 2005-08-04 Computer Associates Think, Inc. Systems and methods of information backup
US7552214B2 (en) 2001-07-06 2009-06-23 Computer Associates Think, Inc. Systems and methods of information backup
US7734594B2 (en) 2001-07-06 2010-06-08 Computer Associates Think, Inc. Systems and methods of information backup
WO2003005245A2 (en) * 2001-07-06 2003-01-16 Computer Associates Think, Inc. Systems and methods of information backup
US7107464B2 (en) 2001-07-10 2006-09-12 Telecom Italia S.P.A. Virtual private network mechanism incorporating security association processor
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
WO2003015374A1 (en) * 2001-08-07 2003-02-20 Sun Microsystems, Inc. Controlled information flow between communities via a firewall
US6907525B2 (en) 2001-08-14 2005-06-14 Riverhead Networks Inc. Protecting against spoofed DNS messages
US20030070096A1 (en) * 2001-08-14 2003-04-10 Riverhead Networks Inc. Protecting against spoofed DNS messages
US20030043853A1 (en) * 2001-08-15 2003-03-06 Ronald P. Doyle Methods, systems and computer program products for detecting a spoofed source address in IP datagrams
US7134012B2 (en) * 2001-08-15 2006-11-07 International Business Machines Corporation Methods, systems and computer program products for detecting a spoofed source address in IP datagrams
US7313815B2 (en) 2001-08-30 2007-12-25 Cisco Technology, Inc. Protecting against spoofed DNS messages
US20050044352A1 (en) * 2001-08-30 2005-02-24 Riverhead Networks, Inc. Protecting against spoofed DNS messages
US20030046583A1 (en) * 2001-08-30 2003-03-06 Honeywell International Inc. Automated configuration of security software suites
US7207061B2 (en) * 2001-08-31 2007-04-17 International Business Machines Corporation State machine for accessing a stealth firewall
US20030051155A1 (en) * 2001-08-31 2003-03-13 International Business Machines Corporation State machine for accessing a stealth firewall
US6986160B1 (en) * 2001-08-31 2006-01-10 Mcafee, Inc. Security scanning system and method utilizing generic IP addresses
WO2003025697A3 (en) * 2001-09-21 2004-03-04 Riverhead Networks Inc Protecting network traffic against spoofed domain name system (dns) messages
US9407605B2 (en) 2001-09-28 2016-08-02 Juniper Networks, Inc. Routing a packet by a device
US20030065812A1 (en) * 2001-09-28 2003-04-03 Niels Beier Tagging packets with a lookup key to facilitate usage of a unified packet forwarding cache
US7308710B2 (en) 2001-09-28 2007-12-11 Jp Morgan Chase Bank Secured FTP architecture
US8291114B2 (en) 2001-09-28 2012-10-16 Juniper Networks, Inc. Routing a packet by a device
US7302700B2 (en) * 2001-09-28 2007-11-27 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
US20080034414A1 (en) * 2001-09-28 2008-02-07 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device
CN1561625B (en) * 2001-09-28 2010-09-08 英特尔公司 Tagging packets with a lookup key to facilitate usage of a unified packet forwarding cache
US20100281533A1 (en) * 2001-09-28 2010-11-04 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device
DE10297269B4 (en) * 2001-09-28 2009-06-04 Intel Corp., Santa Clara Labeling packets with a lookup key for easier use of a common packet forwarding cache
US20030065950A1 (en) * 2001-09-28 2003-04-03 Yarborough William Jordan Secured FTP architecture
US7779459B2 (en) 2001-09-28 2010-08-17 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
US20030065944A1 (en) * 2001-09-28 2003-04-03 Mao Yu Ming Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
US8689316B2 (en) 2001-09-28 2014-04-01 Juniper Networks, Inc. Routing a packet by a device
US7269663B2 (en) * 2001-09-28 2007-09-11 Intel Corporation Tagging packets with a lookup key to facilitate usage of a unified packet forwarding cache
US7367014B2 (en) 2001-10-24 2008-04-29 Bea Systems, Inc. System and method for XML data representation of portlets
US20030110172A1 (en) * 2001-10-24 2003-06-12 Daniel Selman Data synchronization
US20070214421A1 (en) * 2001-10-24 2007-09-13 Bea Systems, Inc. System and method for application flow integration in a portal framework
US20030126558A1 (en) * 2001-10-24 2003-07-03 Griffin Philip B. System and method for XML data representation of portlets
US20030117437A1 (en) * 2001-10-24 2003-06-26 Cook Thomas A. Portal administration tool
US7451477B2 (en) 2001-10-24 2008-11-11 Bea Systems, Inc. System and method for rule-based entitlements
US20030115292A1 (en) * 2001-10-24 2003-06-19 Griffin Philip B. System and method for delegated administration
US20030149722A1 (en) * 2001-10-24 2003-08-07 Chris Jolley System and method for application flow integration in a portal framework
US20050187986A1 (en) * 2001-10-24 2005-08-25 Bea Systems, Inc. Data synchronization
US7451163B2 (en) 2001-10-24 2008-11-11 Bea Systems, Inc. Data synchronization
US7516167B2 (en) 2001-10-24 2009-04-07 Bea Systems, Inc. Data synchronization
US20050187993A1 (en) * 2001-10-24 2005-08-25 Bea Systems, Inc. Data synchronization
US7472342B2 (en) 2001-10-24 2008-12-30 Bea Systems, Inc. System and method for portal page layout
US20030105974A1 (en) * 2001-10-24 2003-06-05 Philip B. Griffin System and method for rule-based entitlements
US7240280B2 (en) 2001-10-24 2007-07-03 Bea Systems, Inc. System and method for application flow integration in a portal framework
WO2003044676A1 (en) * 2001-11-20 2003-05-30 Senvid, Inc. Access and control system for network-enabled devices
US20050210533A1 (en) * 2001-11-30 2005-09-22 Copeland John A Packet Sampling Flow-Based Detection of Network Intrusions
US20070180526A1 (en) * 2001-11-30 2007-08-02 Lancope, Inc. Flow-based detection of network intrusions
US7475426B2 (en) 2001-11-30 2009-01-06 Lancope, Inc. Flow-based detection of network intrusions
US7512980B2 (en) 2001-11-30 2009-03-31 Lancope, Inc. Packet sampling flow-based detection of network intrusions
US10129273B2 (en) 2001-11-30 2018-11-13 Cisco Technology, Inc. System and methods for computer network security involving user confirmation of network connections
WO2003049400A1 (en) * 2001-12-07 2003-06-12 Ssh Communications Security Corporation Application gateway system, and method for maintaining security in a packet-switched information network
US20100024026A1 (en) * 2001-12-07 2010-01-28 Safenet, Inc. Application gateway system and method for maintaining security in a packet-switched information network
US8566920B2 (en) 2001-12-07 2013-10-22 Inside Secure Application gateway system and method for maintaining security in a packet-switched information network
US20030115322A1 (en) * 2001-12-13 2003-06-19 Moriconi Mark S. System and method for analyzing security policies in a distributed computer network
US7350226B2 (en) 2001-12-13 2008-03-25 Bea Systems, Inc. System and method for analyzing security policies in a distributed computer network
US20030115480A1 (en) * 2001-12-17 2003-06-19 Worldcom, Inc. System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks
US9348914B2 (en) 2001-12-18 2016-05-24 Caldvor Acquisitions Ltd., Llc Web-based asset management
US8825712B2 (en) 2001-12-18 2014-09-02 Caldvor Acquisitions Ltd., Llc Web-based asset management
US8484248B2 (en) 2001-12-18 2013-07-09 Caldvor Acquisitions Ltd., Llc Web-based asset management
US20110047170A1 (en) * 2001-12-18 2011-02-24 Shawn Thomas Web-Based Asset Management
US8631014B2 (en) 2001-12-18 2014-01-14 Caldvor Acquisitions Ltd., Llc Method and system for integrated asset management
US8321468B2 (en) 2001-12-18 2012-11-27 Caldvor Acquisitions Ltd., Llc Web-based asset management
US20080177753A1 (en) * 2001-12-18 2008-07-24 Bluecurrent, Inc. Method and system for asset transition project management
US7765181B2 (en) * 2001-12-18 2010-07-27 Shawn Thomas Web-based asset management
US8266124B2 (en) 2001-12-18 2012-09-11 Caldvor Acquisitions Ltd., Llc Integrated asset management
US20030154199A1 (en) * 2001-12-18 2003-08-14 Shawn Thomas Method and system for integrated asset management
US20030217042A1 (en) * 2001-12-18 2003-11-20 Shawn Thomas Method and system for Web-based asset management
US20120192262A1 (en) * 2001-12-20 2012-07-26 Mcafee, Inc., A Delaware Corporation Network adapter firewall system and method
US9876818B2 (en) 2001-12-20 2018-01-23 McAFEE, LLC. Embedded anti-virus scanner for a network adapter
US8627443B2 (en) * 2001-12-20 2014-01-07 Mcafee, Inc. Network adapter firewall system and method
US9055098B2 (en) 2001-12-20 2015-06-09 Mcafee, Inc. Embedded anti-virus scanner for a network adapter
US6961783B1 (en) 2001-12-21 2005-11-01 Networks Associates Technology, Inc. DNS server access control system and method
US20080250484A1 (en) * 2001-12-28 2008-10-09 Chong Lester J System and method for content filtering
US7650420B2 (en) 2001-12-28 2010-01-19 The Directv Group, Inc. System and method for content filtering
US7099319B2 (en) 2002-01-23 2006-08-29 International Business Machines Corporation Virtual private network and tunnel gateway with multiple overlapping, remote subnets
US20030145104A1 (en) * 2002-01-23 2003-07-31 International Business Machines Corporation Virtual private network and tunnel gateway with multiple overlapping, remote subnets
US7751391B2 (en) 2002-01-23 2010-07-06 International Business Machines Corporation Virtual private network and tunnel gateway with multiple overlapping, remote subnets
US20070097977A1 (en) * 2002-01-23 2007-05-03 International Business Machine Corporation Virtual private network and tunnel gateway with multiple overlapping, remote subnets
AU2002254385B2 (en) * 2002-01-31 2009-01-08 Cisco Technology, Inc. Network service zone locking
WO2003069478A1 (en) * 2002-01-31 2003-08-21 Lancope, Inc. Network service zone locking
US7644151B2 (en) * 2002-01-31 2010-01-05 Lancope, Inc. Network service zone locking
US20040088571A1 (en) * 2002-01-31 2004-05-06 John Jerrim Network service zone locking
US20030149787A1 (en) * 2002-02-01 2003-08-07 Mangan John F. Policy based routing system and method for caching and VPN tunneling
US7069336B2 (en) 2002-02-01 2006-06-27 Time Warner Cable Policy based routing system and method for caching and VPN tunneling
US20030154380A1 (en) * 2002-02-08 2003-08-14 James Richmond Controlling usage of network resources by a user at the user's entry point to a communications network based on an identity of the user
US20030152067A1 (en) * 2002-02-08 2003-08-14 Enterasys Networks, Inc. Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users
US6990592B2 (en) 2002-02-08 2006-01-24 Enterasys Networks, Inc. Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users
US7855972B2 (en) 2002-02-08 2010-12-21 Enterasys Networks, Inc. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
US6892309B2 (en) * 2002-02-08 2005-05-10 Enterasys Networks, Inc. Controlling usage of network resources by a user at the user's entry point to a communications network based on an identity of the user
US20030152035A1 (en) * 2002-02-08 2003-08-14 Pettit Steven A. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
US6973496B2 (en) * 2002-03-05 2005-12-06 Archduke Holdings, Inc. Concealing a network connected device
US20040215771A1 (en) * 2002-03-05 2004-10-28 Hayes John W. Concealing a network connected device
US6845452B1 (en) * 2002-03-12 2005-01-18 Reactivity, Inc. Providing security for external access to a protected computer network
WO2003079605A1 (en) * 2002-03-12 2003-09-25 Reactivity, Inc. Providing security for external access to a protected computer network
US7043753B2 (en) 2002-03-12 2006-05-09 Reactivity, Inc. Providing security for external access to a protected computer network
US20060253901A1 (en) * 2002-03-12 2006-11-09 Reactivity, Inc. Providing security for external access to a protected computer network
US20050091515A1 (en) * 2002-03-12 2005-04-28 Roddy Brian J. Providing security for external access to a protected computer network
US7552471B2 (en) * 2002-03-12 2009-06-23 Reactivity, Inc. Providing security for external access to a protected computer network
US7895326B2 (en) * 2002-03-25 2011-02-22 Lancope, Inc. Network service zone locking
US20100138535A1 (en) * 2002-03-25 2010-06-03 Lancope, Inc. Network service zone locking
US7543332B2 (en) 2002-04-04 2009-06-02 At&T Corporation Method and system for securely scanning network traffic
US20070169187A1 (en) * 2002-04-04 2007-07-19 Joel Balissat Method and system for securely scanning network traffic
US20030191937A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Multipoint server for providing secure, scaleable connections between a plurality of network devices
US8136152B2 (en) 2002-04-04 2012-03-13 Worcester Technologies Llc Method and system for securely scanning network traffic
US20070016947A1 (en) * 2002-04-04 2007-01-18 Joel Balissat Method and system for securely scanning network traffic
US20030191843A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Secure network connection for devices on a private network
US7188365B2 (en) 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US7448081B2 (en) 2002-04-04 2008-11-04 At&T Intellectual Property Ii, L.P. Method and system for securely scanning network traffic
US7203957B2 (en) 2002-04-04 2007-04-10 At&T Corp. Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20030191963A1 (en) * 2002-04-04 2003-10-09 Joel Balissat Method and system for securely scanning network traffic
US7562386B2 (en) 2002-04-04 2009-07-14 At&T Intellectual Property, Ii, L.P. Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20070180514A1 (en) * 2002-04-04 2007-08-02 Joel Balissat Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20030196095A1 (en) * 2002-04-11 2003-10-16 International Business Machines Corporation Detecting dissemination of malicious programs
US7140041B2 (en) 2002-04-11 2006-11-21 International Business Machines Corporation Detecting dissemination of malicious programs
US20030200441A1 (en) * 2002-04-19 2003-10-23 International Business Machines Corporation Detecting randomness in computer network traffic
US20070214271A1 (en) * 2002-05-01 2007-09-13 Bea Systems, Inc. Enterprise application platform
US7426548B2 (en) 2002-05-01 2008-09-16 Bea Systems, Inc. Enterprise application platform
US20040068554A1 (en) * 2002-05-01 2004-04-08 Bea Systems, Inc. Web service-enabled portlet wizard
US7725560B2 (en) 2002-05-01 2010-05-25 Bea Systems Inc. Web service-enabled portlet wizard
US20040068568A1 (en) * 2002-05-01 2004-04-08 Griffin Philip B. Enterprise application platform
US20040010598A1 (en) * 2002-05-01 2004-01-15 Bea Systems, Inc. Portal setup wizard
US7496687B2 (en) 2002-05-01 2009-02-24 Bea Systems, Inc. Enterprise application platform
EP1370027A1 (en) * 2002-06-05 2003-12-10 T.I.P. Holdings GmbH Computer network leakage detection, location and identification
WO2003105404A1 (en) * 2002-06-05 2003-12-18 T.I.P. Holdings Computer network leakage detection, location and identification
US7418492B1 (en) 2002-06-20 2008-08-26 P-Cube Ltd. System and a method for testing network communication devices
US7194767B1 (en) * 2002-06-28 2007-03-20 Sprint Communications Company L.P. Screened subnet having a secured utility VLAN
US20040006708A1 (en) * 2002-07-02 2004-01-08 Lucent Technologies Inc. Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network
US7421736B2 (en) * 2002-07-02 2008-09-02 Lucent Technologies Inc. Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network
EP1381199A1 (en) * 2002-07-12 2004-01-14 Alcatel Firewall for dynamically granting and denying network resources
US7448078B2 (en) 2002-07-12 2008-11-04 Alcatel Method, a portal system, a portal server, a personalized access policy server, a firewall and computer software products for dynamically granting and denying network resources
US20040010719A1 (en) * 2002-07-12 2004-01-15 Alcatel Method, a portal system, a portal server, a personalized access policy server, a firewall and computer software products for dynamically granting and denying network resources
US7231664B2 (en) 2002-09-04 2007-06-12 Secure Computing Corporation System and method for transmitting and receiving secure data in a virtual private group
US20040044891A1 (en) * 2002-09-04 2004-03-04 Secure Computing Corporation System and method for secure group communications
US7594262B2 (en) 2002-09-04 2009-09-22 Secure Computing Corporation System and method for secure group communications
US20040044908A1 (en) * 2002-09-04 2004-03-04 Secure Computing Corporation System and method for transmitting and receiving secure data in a virtual private group
WO2004023307A1 (en) * 2002-09-06 2004-03-18 O2Micro, Inc. Vpn and firewall integrated system
US20100138909A1 (en) * 2002-09-06 2010-06-03 O2Micro, Inc. Vpn and firewall integrated system
US20060174336A1 (en) * 2002-09-06 2006-08-03 Jyshyang Chen VPN and firewall integrated system
GB2397204B (en) * 2002-09-06 2005-03-30 O2Micro Inc VPN and firewall integrated system
GB2397204A (en) * 2002-09-06 2004-07-14 O2Micro Inc VPN and firewall integrated system
GB2407464A (en) * 2002-09-06 2005-04-27 O2Micro Inc VPN and firewall integrated system
CN100389400C (en) * 2002-09-06 2008-05-21 美国凹凸微系有限公司 VPN and firewall integrated system
GB2407464B (en) * 2002-09-06 2005-12-14 O2Micro Inc VPN and firewall integrated system
US7596806B2 (en) 2002-09-06 2009-09-29 O2Micro International Limited VPN and firewall integrated system
US7315890B2 (en) * 2002-10-02 2008-01-01 Lockheed Martin Corporation System and method for managing access to active devices operably connected to a data network
US20040068562A1 (en) * 2002-10-02 2004-04-08 Tilton Earl W. System and method for managing access to active devices operably connected to a data network
US7308706B2 (en) * 2002-10-28 2007-12-11 Secure Computing Corporation Associative policy model
US20040083382A1 (en) * 2002-10-28 2004-04-29 Secure Computing Corporation Associative policy model
US7574738B2 (en) 2002-11-06 2009-08-11 At&T Intellectual Property Ii, L.P. Virtual private network crossovers based on certificates
US20040103211A1 (en) * 2002-11-21 2004-05-27 Jackson Eric S. System and method for managing computer networks
US7359930B2 (en) 2002-11-21 2008-04-15 Arbor Networks System and method for managing computer networks
US20080294770A1 (en) * 2002-11-21 2008-11-27 Arbor Networks System and method for managing computer networks
US8667047B2 (en) 2002-11-21 2014-03-04 Arbor Networks System and method for managing computer networks
US20040123139A1 (en) * 2002-12-18 2004-06-24 At&T Corp. System having filtering/monitoring of secure connections
WO2004062187A1 (en) * 2002-12-31 2004-07-22 American Express Travel Related Services Company, Inc. Method and system for modular authentication and session management
US8819416B2 (en) 2002-12-31 2014-08-26 Iii Holdings 1, Llc Method and system for modular authentication and session management
US8291228B2 (en) 2002-12-31 2012-10-16 American Express Travel Related Services Company, Inc. Method and system for modular authentication and session management
US20090044020A1 (en) * 2002-12-31 2009-02-12 American Express Travel Related Services Company, Inc. Method and System for Modular Authentication and Session Management
US20040146006A1 (en) * 2003-01-24 2004-07-29 Jackson Daniel H. System and method for internal network data traffic control
US8831966B2 (en) 2003-02-14 2014-09-09 Oracle International Corporation Method for delegated administration
US20040162733A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for delegated administration
US20050138411A1 (en) * 2003-02-14 2005-06-23 Griffin Philip B. Resource management with roles
US6917975B2 (en) 2003-02-14 2005-07-12 Bea Systems, Inc. Method for role and resource policy management
US7992189B2 (en) 2003-02-14 2011-08-02 Oracle International Corporation System and method for hierarchical role-based entitlements
US7653930B2 (en) 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US20040162905A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for role and resource policy management optimization
US20100037290A1 (en) * 2003-02-14 2010-02-11 Oracle International Corporation System and method for hierarchical role-based entitlements
US20040162906A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. System and method for hierarchical role-based entitlements
US7591000B2 (en) 2003-02-14 2009-09-15 Oracle International Corporation System and method for hierarchical role-based entitlements
US20050138412A1 (en) * 2003-02-14 2005-06-23 Griffin Philip B. Resource management with policies
US7240212B2 (en) * 2003-02-18 2007-07-03 Ubs Painewebber, Inc. Method and system for secure alert messaging
US20070255957A1 (en) * 2003-02-18 2007-11-01 Ubs Painewebber, Inc. Method and system for secure alert messaging
US7587609B2 (en) 2003-02-18 2009-09-08 Ubs Financial Services Inc. Method and system for secure alert messaging
US20040162880A1 (en) * 2003-02-18 2004-08-19 Arnone David J. Method and system for secure alert messaging
US7562298B2 (en) 2003-02-20 2009-07-14 Bea Systems, Inc. Virtual content repository browser
US20060174132A1 (en) * 2003-02-20 2006-08-03 Bea Systems, Inc. Federated management of content repositories
US7293286B2 (en) 2003-02-20 2007-11-06 Bea Systems, Inc. Federated management of content repositories
US7840614B2 (en) 2003-02-20 2010-11-23 Bea Systems, Inc. Virtual content repository application program interface
US20040167899A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual content repository browser
US20080320022A1 (en) * 2003-02-20 2008-12-25 Oracle International Corporation Federated Management of Content Repositories
US20040168084A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Federated management of content repositories
US7433896B2 (en) 2003-02-20 2008-10-07 Bea Systems, Inc. Federated management of content repositories
US20040167867A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual content repository application program interface
US8099779B2 (en) 2003-02-20 2012-01-17 Oracle International Corporation Federated management of content repositories
US7483904B2 (en) 2003-02-20 2009-01-27 Bea Systems, Inc. Virtual repository content model
US7415478B2 (en) 2003-02-20 2008-08-19 Bea Systems, Inc. Virtual repository complex content model
US7810036B2 (en) 2003-02-28 2010-10-05 Bea Systems, Inc. Systems and methods for personalizing a portal
US20040230917A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for navigating a graphical hierarchy
US20040230557A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for context-sensitive editing
US20040230947A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for personalizing a portal
US20040230679A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for portal and web server administration
US7979694B2 (en) 2003-03-03 2011-07-12 Cisco Technology, Inc. Using TCP to authenticate IP source addresses
US20050021999A1 (en) * 2003-03-03 2005-01-27 Riverhead Networks Inc. Using TCP to authenticate IP source addresses
US7900038B2 (en) 2003-04-29 2011-03-01 Wells Fargo Bank, N.A. Method and apparatus for a broker entity
US20040220882A1 (en) * 2003-04-29 2004-11-04 Suto Lawrence B. Method and apparatus for a broker entity
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US20050063398A1 (en) * 2003-07-03 2005-03-24 Choudhury Abhijit K. Method of implementing L3 switching, network address port translation, and ALG support using a combination of hardware and firmware
US20050066166A1 (en) * 2003-07-03 2005-03-24 Chin Ken C.K. Unified wired and wireless switch architecture
US7149897B2 (en) 2003-07-25 2006-12-12 The United States Of America As Represented By The Secretary Of The Navy Systems and methods for providing increased computer security
US20050022023A1 (en) * 2003-07-25 2005-01-27 Stanley Chincheck Systems and methods for providing increased computer security
US8578444B2 (en) 2003-09-24 2013-11-05 Info Express, Inc. Systems and methods of controlling network access
US8677450B2 (en) 2003-09-24 2014-03-18 Infoexpress, Inc. Systems and methods of controlling network access
US8650610B2 (en) 2003-09-24 2014-02-11 Infoexpress, Inc. Systems and methods of controlling network access
US20050102536A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Dynamically configurable distributed security system
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050251852A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Distributed enterprise security system
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US7603547B2 (en) 2003-10-10 2009-10-13 Bea Systems, Inc. Security control module
US7603548B2 (en) 2003-10-10 2009-10-13 Bea Systems, Inc. Security provider development model
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US20050097350A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Security control module
US20050102401A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Distributed enterprise security system for a resource hierarchy
US20050102510A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Delegation in a distributed security system
US20050097351A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Security provider development model
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US7644432B2 (en) 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050081055A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Dynamically configurable distributed security system
US20050081062A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Distributed enterprise security system
US7594224B2 (en) 2003-10-10 2009-09-22 Bea Systems, Inc. Distributed enterprise security system
US20050102535A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Distributed security system with security service providers
US7594112B2 (en) 2003-10-10 2009-09-22 Bea Systems, Inc. Delegated administration for a distributed security system
US7448070B2 (en) 2003-10-17 2008-11-04 Microsoft Corporation Network fingerprinting
CN1610297B (en) * 2003-10-17 2010-12-08 微软公司 Network fingerprinting
KR101109379B1 (en) 2003-10-17 2012-01-30 마이크로소프트 코포레이션 Network fingerprinting
EP1524819A3 (en) * 2003-10-17 2006-05-24 Microsoft Corporation Network fingerprinting
EP1524819A2 (en) * 2003-10-17 2005-04-20 Microsoft Corporation Network fingerprinting
US20050086473A1 (en) * 2003-10-17 2005-04-21 Microsoft Corporation Network fingerprinting
US7730137B1 (en) 2003-12-22 2010-06-01 Aol Inc. Restricting the volume of outbound electronic messages originated by a single entity
US9608883B2 (en) 2004-02-06 2017-03-28 Microsoft Technology Licensing, Llc Network classification
US8676969B2 (en) 2004-02-06 2014-03-18 Microsoft Corporation Network classification
US9374286B2 (en) 2004-02-06 2016-06-21 Microsoft Technology Licensing, Llc Network classification
US20050188295A1 (en) * 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US7774601B2 (en) 2004-04-06 2010-08-10 Bea Systems, Inc. Method for delegated administration
WO2005098568A1 (en) * 2004-04-08 2005-10-20 Thomson Licensing Security device and process and associated products
EP1585005A1 (en) * 2004-04-08 2005-10-12 Thomson Multimedia Broadband Belgium Security device and process and associated products
US20050234849A1 (en) * 2004-04-13 2005-10-20 Bea Systems, Inc. System and method for content lifecycles
US20050251502A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for virtual content repository entitlements
US20050240714A1 (en) * 2004-04-13 2005-10-27 Bea Systems, Inc. System and method for virtual content repository deployment
US20050251506A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for providing content services to a repository
US20060028252A1 (en) * 2004-04-13 2006-02-09 Bea Systems, Inc. System and method for content type management
US20050251505A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for information lifecycle workflow integration
US20050228784A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for batch operations in a virtual content repository
US20050228827A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for viewing a virtual content repository
US7236990B2 (en) 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for information lifecycle workflow integration
US7236975B2 (en) 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for controlling access to anode in a virtual content repository that integrates a plurality of content repositories
US7580953B2 (en) 2004-04-13 2009-08-25 Bea Systems, Inc. System and method for schema lifecycles in a virtual content repository that integrates a plurality of content repositories
US20050228816A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for content type versions
US20050251504A1 (en) * 2004-04-13 2005-11-10 Bea Systems, Inc. System and method for custom content lifecycles
US7236989B2 (en) 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for providing lifecycles for custom content in a virtual content repository
US7240076B2 (en) 2004-04-13 2007-07-03 Bea Systems, Inc. System and method for providing a lifecycle for information in a virtual content repository
US7246138B2 (en) 2004-04-13 2007-07-17 Bea Systems, Inc. System and method for content lifecycles in a virtual content repository that integrates a plurality of content repositories
US7162504B2 (en) 2004-04-13 2007-01-09 Bea Systems, Inc. System and method for providing content services to a repository
US7475091B2 (en) 2004-04-13 2009-01-06 Bea Systems, Inc. System and method for viewing a virtual content repository
US20080091803A1 (en) * 2004-05-21 2008-04-17 Li Liu Method for managing a virtual private network
US20050287442A1 (en) * 2004-06-21 2005-12-29 Kim Jin H Electrolyte for lithium ion rechargeable battery and lithium ion rechargeable battery including the same
US8245242B2 (en) 2004-07-09 2012-08-14 Quest Software, Inc. Systems and methods for managing policies on a computer
US8533744B2 (en) 2004-07-09 2013-09-10 Dell Software, Inc. Systems and methods for managing policies on a computer
US8713583B2 (en) 2004-07-09 2014-04-29 Dell Software Inc. Systems and methods for managing policies on a computer
US9130847B2 (en) 2004-07-09 2015-09-08 Dell Software, Inc. Systems and methods for managing policies on a computer
US20060064469A1 (en) * 2004-09-23 2006-03-23 Cisco Technology, Inc. System and method for URL filtering in a firewall
KR100643281B1 (en) 2004-10-09 2006-11-10 삼성전자주식회사 Apparatus, system and method for security service in home network
US7568224B1 (en) 2004-12-06 2009-07-28 Cisco Technology, Inc. Authentication of SIP and RTP traffic
US7620733B1 (en) 2005-03-30 2009-11-17 Cisco Technology, Inc. DNS anti-spoofing using UDP
US8478985B2 (en) * 2005-04-19 2013-07-02 International Business Machines Corporation Determining whether to encrypt outbound traffic
US20080240436A1 (en) * 2005-04-19 2008-10-02 International Business Machines Corporation Method and apparatus for determining whether to encrypt outbound traffic
US10476868B2 (en) 2005-04-21 2019-11-12 Justservice.Net Llc Data backup and transfer system, method and computer program product
US10387270B2 (en) 2005-04-21 2019-08-20 Justservice.Net Llc Data backup, storage, transfer and retrieval system, method and computer program product
US11425116B2 (en) 2005-04-21 2022-08-23 Justservice.Net Llc Data backup and transfer system, method and computer program product
US11436095B2 (en) 2005-04-21 2022-09-06 Justservice.Net Llc Data backup, storage, transfer and retrieval system, method and computer program product
US20060282508A1 (en) * 2005-06-09 2006-12-14 International Business Machines Corporation System and method of responding to a flood attack on a data processing system
US20070005563A1 (en) * 2005-06-30 2007-01-04 Veveo, Inc. Method and system for incremental search with reduced text entry where the relevance of results is a dynamically computed function of user input search string character count
US8490153B2 (en) 2005-07-15 2013-07-16 Microsoft Corporation Automatically generating rules for connection security
US20070016945A1 (en) * 2005-07-15 2007-01-18 Microsoft Corporation Automatically generating rules for connection security
US8056124B2 (en) * 2005-07-15 2011-11-08 Microsoft Corporation Automatically generating rules for connection security
US8347392B2 (en) * 2005-08-25 2013-01-01 Hewlett-Packard Development Company, L.P. Apparatus and method for analyzing and supplementing a program to provide security
US20070074169A1 (en) * 2005-08-25 2007-03-29 Fortify Software, Inc. Apparatus and method for analyzing and supplementing a program to provide security
US20070067589A1 (en) * 2005-09-20 2007-03-22 Cisco Technology, Inc. Smart zoning to enforce interoperability matrix in a storage area network
US8161134B2 (en) * 2005-09-20 2012-04-17 Cisco Technology, Inc. Smart zoning to enforce interoperability matrix in a storage area network
US20070073744A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing link property types for content management
US20070073784A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for type inheritance for content management
US20110184929A1 (en) * 2005-09-26 2011-07-28 Oracle International Corporation System and method for providing spi extensions for content management system
US20070073671A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US7953734B2 (en) 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US8316025B2 (en) 2005-09-26 2012-11-20 Oracle International Corporation System and method for providing SPI extensions for content management system
US7917537B2 (en) 2005-09-26 2011-03-29 Oracle International Corporation System and method for providing link property types for content management
US20070073674A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing federated events for content management systems
US7752205B2 (en) 2005-09-26 2010-07-06 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US20070073661A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for providing nested types for content management
US20070073673A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for content management security
US7818344B2 (en) 2005-09-26 2010-10-19 Bea Systems, Inc. System and method for providing nested types for content management
US20070073672A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for lightweight loading for managing content
US7483893B2 (en) 2005-09-26 2009-01-27 Bae Systems, Inc. System and method for lightweight loading for managing content
US8024339B2 (en) * 2005-10-12 2011-09-20 Business Objects Software Ltd. Apparatus and method for generating reports with masked confidential data
US20070136237A1 (en) * 2005-10-12 2007-06-14 Business Objects, S.A. Apparatus and method for generating reports with masked confidential data
USRE45327E1 (en) 2005-12-19 2015-01-06 Dell Software, Inc. Apparatus, systems and methods to provide authentication services to a legacy application
US20070143836A1 (en) * 2005-12-19 2007-06-21 Quest Software, Inc. Apparatus system and method to provide authentication services to legacy applications
US7904949B2 (en) 2005-12-19 2011-03-08 Quest Software, Inc. Apparatus, systems and methods to provide authentication services to a legacy application
US8234361B2 (en) * 2006-01-13 2012-07-31 Fortinet, Inc. Computerized system and method for handling network traffic
US8495200B2 (en) 2006-01-13 2013-07-23 Fortinet, Inc. Computerized system and method for handling network traffic
US20070168547A1 (en) * 2006-01-13 2007-07-19 Fortinet, Inc. Computerized system and method for handling network traffic
US10038668B2 (en) 2006-01-13 2018-07-31 Fortinet, Inc. Computerized system and method for handling network traffic
US8087075B2 (en) 2006-02-13 2011-12-27 Quest Software, Inc. Disconnected credential validation using pre-fetched service tickets
US8584218B2 (en) 2006-02-13 2013-11-12 Quest Software, Inc. Disconnected credential validation using pre-fetched service tickets
US9288201B2 (en) 2006-02-13 2016-03-15 Dell Software Inc. Disconnected credential validation using pre-fetched service tickets
US20070192843A1 (en) * 2006-02-13 2007-08-16 Quest Software, Inc. Disconnected credential validation using pre-fetched service tickets
US20100235274A1 (en) * 2006-03-03 2010-09-16 Yu-Chiuan Chen Anti-terror platform for securing a community against terrorisms
US20070266433A1 (en) * 2006-03-03 2007-11-15 Hezi Moore System and Method for Securing Information in a Virtual Computing Environment
US20090183253A1 (en) * 2006-03-20 2009-07-16 Lawrence Kates Virus-resistant computer with data interface for filtering data
US20070220187A1 (en) * 2006-03-20 2007-09-20 Lawrence Kates Virus-resistant computer with data interface for filtering data
US8978098B2 (en) 2006-06-08 2015-03-10 Dell Software, Inc. Centralized user authentication system apparatus and method
US8429712B2 (en) 2006-06-08 2013-04-23 Quest Software, Inc. Centralized user authentication system apparatus and method
US20070288992A1 (en) * 2006-06-08 2007-12-13 Kyle Lane Robinson Centralized user authentication system apparatus and method
US8051474B1 (en) 2006-09-26 2011-11-01 Avaya Inc. Method and apparatus for identifying trusted sources based on access point
US20080086527A1 (en) * 2006-10-06 2008-04-10 Bea Systems, Inc. Groupware portlets for integrating a portal with groupware systems
US8463852B2 (en) 2006-10-06 2013-06-11 Oracle International Corporation Groupware portlets for integrating a portal with groupware systems
US7895332B2 (en) 2006-10-30 2011-02-22 Quest Software, Inc. Identity migration system apparatus and method
US8966045B1 (en) 2006-10-30 2015-02-24 Dell Software, Inc. Identity migration apparatus and method
US8346908B1 (en) 2006-10-30 2013-01-01 Quest Software, Inc. Identity migration apparatus and method
US8086710B2 (en) 2006-10-30 2011-12-27 Quest Software, Inc. Identity migration apparatus and method
US20080104250A1 (en) * 2006-10-30 2008-05-01 Nikolay Vanyukhin Identity migration system apparatus and method
US20080104220A1 (en) * 2006-10-30 2008-05-01 Nikolay Vanyukhin Identity migration apparatus and method
US20080109890A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Selective auto-revocation of firewall security settings
US8214889B2 (en) 2006-11-03 2012-07-03 Microsoft Corporation Selective auto-revocation of firewall security settings
US20080168559A1 (en) * 2007-01-04 2008-07-10 Cisco Technology, Inc. Protection against reflection distributed denial of service attacks
US8156557B2 (en) 2007-01-04 2012-04-10 Cisco Technology, Inc. Protection against reflection distributed denial of service attacks
US7941837B1 (en) * 2007-04-18 2011-05-10 Juniper Networks, Inc. Layer two firewall with active-active high availability support
US20110231910A1 (en) * 2007-09-27 2011-09-22 Surendranath Mohanty Techniques for virtual private network (vpn) access
US20090089874A1 (en) * 2007-09-27 2009-04-02 Surendranath Mohanty Techniques for virtual private network (vpn) access
US8353025B2 (en) 2007-09-27 2013-01-08 Oracle International Corporation Method and system for dynamically establishing a virtual private network (VPN) session
US7954145B2 (en) * 2007-09-27 2011-05-31 Novell, Inc. Dynamically configuring a client for virtual private network (VPN) access
US20090113517A1 (en) * 2007-10-31 2009-04-30 Microsoft Corporation Security state aware firewall
US8060927B2 (en) 2007-10-31 2011-11-15 Microsoft Corporation Security state aware firewall
US10111034B2 (en) 2008-03-14 2018-10-23 Billjco Llc System and method for sound wave triggered content
US8600341B2 (en) 2008-03-14 2013-12-03 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US9204275B2 (en) 2008-03-14 2015-12-01 William J. Johnson System and method for targeting data processing system(s) with data
US10477994B2 (en) 2008-03-14 2019-11-19 William J. Johnson System and method for location based exchanges of data facilitiating distributed locational applications
US9253597B2 (en) 2008-03-14 2016-02-02 William J. Johnson System and method for determining mobile users of interest
US8942733B2 (en) 2008-03-14 2015-01-27 William J. Johnson System and method for location based exchanges of data facilitating distributed location applications
US8942732B2 (en) 2008-03-14 2015-01-27 William J. Johnson Location based exchange operating system
US8942693B2 (en) 2008-03-14 2015-01-27 William J. Johnson System and method for targeting data processing system(s) with data
US9100792B2 (en) 2008-03-14 2015-08-04 William J. Johnson System and method for service-free location based applications
US9113295B2 (en) 2008-03-14 2015-08-18 William J. Johnson System and method for location based exchange vicinity interest specification
US9088868B2 (en) 2008-03-14 2015-07-21 William J. Johnson Location based exchange permissions
US8566839B2 (en) 2008-03-14 2013-10-22 William J. Johnson System and method for automated content presentation objects
US8923806B2 (en) 2008-03-14 2014-12-30 William J. Johnson System and method for presenting application data by data processing system(s) in a vicinity
US20100235748A1 (en) * 2008-03-14 2010-09-16 Johnson William J System and method for automated content presentation objects
US9392408B2 (en) 2008-03-14 2016-07-12 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US9014658B2 (en) 2008-03-14 2015-04-21 William J. Johnson System and method for application context location based configuration suggestions
US9088869B2 (en) 2008-03-14 2015-07-21 William J. Johnson System and method for application search results by locational conditions
US8887177B2 (en) 2008-03-14 2014-11-11 William J. Johnson System and method for automated content distribution objects
US8886226B2 (en) 2008-03-14 2014-11-11 William J. Johnson System and method for timely whereabouts determination by a mobile data processing system
US9445238B2 (en) 2008-03-14 2016-09-13 William J. Johnson System and method for confirming data processing system target(s)
US9456303B2 (en) 2008-03-14 2016-09-27 William J. Johnson System and method for service access via hopped wireless mobile device(s)
US8634796B2 (en) 2008-03-14 2014-01-21 William J. Johnson System and method for location based exchanges of data facilitating distributed location applications
US20100069035A1 (en) * 2008-03-14 2010-03-18 Johnson William J Systema and method for location based exchanges of data facilitating distributed location applications
US8639267B2 (en) 2008-03-14 2014-01-28 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US9078095B2 (en) 2008-03-14 2015-07-07 William J. Johnson System and method for location based inventory management
US8761804B2 (en) 2008-03-14 2014-06-24 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US9055406B2 (en) 2008-03-14 2015-06-09 William J. Johnson Server-less synchronized processing across a plurality of interoperating data processing systems
US8750823B2 (en) 2008-03-14 2014-06-10 William J. Johnson System and method for location based exchanges of data facilitating distributed locational applications
US8718598B2 (en) 2008-03-14 2014-05-06 William J. Johnson System and method for location based exchange vicinity interest specification
US9584993B2 (en) 2008-03-14 2017-02-28 William J. Johnson System and method for vector processing on behalf of image aperture aim
US10880189B2 (en) 2008-06-19 2020-12-29 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US20100011433A1 (en) * 2008-07-14 2010-01-14 Tufin Software Technologies Ltd. Method of configuring a security gateway and system thereof
US8490171B2 (en) 2008-07-14 2013-07-16 Tufin Software Technologies Ltd. Method of configuring a security gateway and system thereof
EP2146480A2 (en) 2008-07-14 2010-01-20 Tufin Software Technologies Ltd. Method of configuring a security gateway and system thereof
US8424074B2 (en) 2009-06-17 2013-04-16 Vendor Safe Technologies Method for deploying a firewall and virtual private network to a computer network
US20100325730A1 (en) * 2009-06-17 2010-12-23 Vendor Safe Technologies System and Method for Remotely Securing a Network from Unauthorized Access
US9576140B1 (en) 2009-07-01 2017-02-21 Dell Products L.P. Single sign-on system for shared resource environments
US8255984B1 (en) 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US9531674B2 (en) 2009-11-11 2016-12-27 Microsoft Technology Licensing, Llc Virtual host security profiles
US20110113483A1 (en) * 2009-11-11 2011-05-12 Microsoft Corporation Virtual host security profiles
US8897741B2 (en) 2009-11-13 2014-11-25 William J. Johnson System and method for mobile device usability by locational conditions
US8897742B2 (en) 2009-11-13 2014-11-25 William J. Johnson System and method for sudden proximal user interface
US20130003582A1 (en) * 2010-03-05 2013-01-03 Ahnlab, Inc. Network splitting device, system and method using virtual environments
US9485218B2 (en) 2010-03-23 2016-11-01 Adventium Enterprises, Llc Device for preventing, detecting and responding to security threats
US20110238979A1 (en) * 2010-03-23 2011-09-29 Adventium Labs Device for Preventing, Detecting and Responding to Security Threats
US10013691B1 (en) 2010-11-10 2018-07-03 Amazon Technologies, Inc. Separating control of network sites
US9313187B1 (en) * 2010-11-10 2016-04-12 Amazon Technologies, Inc. Network site customization using proxies
US8666828B1 (en) * 2010-11-10 2014-03-04 Amazon Technologies, Inc. Separating control of network sites
US9021549B2 (en) 2010-12-16 2015-04-28 Tufin Software Technologies Ltd. Method of generating security rule-set and system thereof
US8646031B2 (en) 2010-12-16 2014-02-04 Tufin Software Technologies Ltd Method of generating security rule-set and system thereof
US20120331104A1 (en) * 2011-04-19 2012-12-27 International Business Machines Corporation Controlling communication among multiple industrial control systems
US8732270B2 (en) * 2011-04-19 2014-05-20 International Business Machines Corporation Controlling communication among multiple industrial control systems
US9430622B2 (en) * 2011-07-13 2016-08-30 Dell Products L.P. Mini appliance
US20130016470A1 (en) * 2011-07-13 2013-01-17 Dell Products L.P. Mini Appliance
US8843515B2 (en) 2012-03-07 2014-09-23 Snap Trends, Inc. Methods and systems of aggregating information of social networks based on geographical locations via a network
US9626446B2 (en) 2012-03-07 2017-04-18 Snap Trends, Inc. Methods and systems of advertising based on aggregated information of social networks within geographical locations via a network
US10411975B2 (en) 2013-03-15 2019-09-10 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with multi-tier deployment policy
US9503420B2 (en) 2013-04-09 2016-11-22 Electronics And Telecommunications Research Institute Logical network separation method and apparatus
US9477991B2 (en) 2013-08-27 2016-10-25 Snap Trends, Inc. Methods and systems of aggregating information of geographic context regions of social networks based on geographical locations via a network
US9961096B1 (en) 2013-09-17 2018-05-01 Cisco Technology, Inc. Distributed behavior based anomaly detection
US10194293B2 (en) 2013-09-30 2019-01-29 William J. Johnson System and method for vital signs alerting privileged recipients
US9894489B2 (en) 2013-09-30 2018-02-13 William J. Johnson System and method for situational proximity observation alerting privileged recipients
US10015162B2 (en) * 2015-05-11 2018-07-03 Huawei Technologies Co., Ltd. Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests
US10491613B1 (en) * 2019-01-22 2019-11-26 Capital One Services, Llc Systems and methods for secure communication in cloud computing environments
US11159544B2 (en) 2019-01-22 2021-10-26 Capital One Services, Llc Systems and methods for secure communication in cloud computing environments
US11695773B2 (en) 2020-09-28 2023-07-04 Salesforce, Inc. Distributing dynamic access control lists for managing interactions with a cloud datacenter

Similar Documents

Publication Publication Date Title
US6182226B1 (en) System and method for controlling interactions between networks
AU687575B2 (en) Security system for interconnected computer networks
Bellovin Distributed firewalls
US7735116B1 (en) System and method for unified threat management with a relational rules methodology
US6219786B1 (en) Method and system for monitoring and controlling network access
US6453419B1 (en) System and method for implementing a security policy
US9258329B2 (en) Dynamic access control policy with port restrictions for a network security appliance
US6981143B2 (en) System and method for providing connection orientation based access authentication
US9037738B2 (en) Web-based security and filtering system for inbound/outbound communications with proxy chaining
US20020010800A1 (en) Network access control system and method
WO1999048261A9 (en) System and method for controlling interactions between networks
Abie An overview of firewall technologies
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
Cisco Introduction
Cisco Introduction
Cisco Introduction
Cisco Introduction
Cisco Introduction
Cisco Increasing Security on IP Networks
Cisco Increasing Security on IP Networks
Cisco Increasing Security on IP Networks
Cisco Increasing Security on IP Networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: SECURE COMPUTING CORPORATION, MINNESOTA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:REID, IRVING;MINEAR, SPENCER;REEL/FRAME:009290/0704;SIGNING DATES FROM 19980415 TO 19980418

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: CITICORP USA, INC. AS ADMINISTRATIVE AGENT,NEW YOR

Free format text: SECURITY AGREEMENT;ASSIGNORS:SECURE COMPUTING CORPORATION;CIPHERTRUST, INC.;REEL/FRAME:018247/0359

Effective date: 20060831

Owner name: CITICORP USA, INC. AS ADMINISTRATIVE AGENT, NEW YO

Free format text: SECURITY AGREEMENT;ASSIGNORS:SECURE COMPUTING CORPORATION;CIPHERTRUST, INC.;REEL/FRAME:018247/0359

Effective date: 20060831

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: SECURE COMPUTING CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CITICORP USA, INC.;REEL/FRAME:021523/0713

Effective date: 20080904

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: SECURE COMPUTING, LLC,CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:SECURE COMPUTING CORPORATION;REEL/FRAME:024128/0806

Effective date: 20081120

Owner name: SECURE COMPUTING, LLC, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:SECURE COMPUTING CORPORATION;REEL/FRAME:024128/0806

Effective date: 20081120

AS Assignment

Owner name: MCAFEE, INC.,CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SECURE COMPUTING, LLC;REEL/FRAME:024456/0724

Effective date: 20100524

Owner name: MCAFEE, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SECURE COMPUTING, LLC;REEL/FRAME:024456/0724

Effective date: 20100524

FPAY Fee payment

Year of fee payment: 12

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918

Effective date: 20161220

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786

Effective date: 20170929

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047

Effective date: 20170929

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001

Effective date: 20201026

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213

Effective date: 20220301

AS Assignment

Owner name: SECURE COMPUTING CORPORATION, CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE PROPERTY NUMBERS PREVIOUSLY RECORDED AT REEL: 021523 FRAME: 0713. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF PATENT SECURITY AGREEMENT;ASSIGNOR:CITICORP USA, INC.;REEL/FRAME:059690/0187

Effective date: 20080904